Improper Authorization in CherryHQ Cherry-Studio Affects MCP OAuth Local Callback Server
CVE-2026-13524

6.3MEDIUM

Key Information:

Vendor: Cherryhq
Status: Cherry-studio
Vendor: CVE Published:; 29 June 2026

Badges

👾 Exploit Exists🟡 Public PoC

What is CVE-2026-13524?

A security vulnerability has been identified in CherryHQ's cherry-studio, specifically in the MCP OAuth Local Callback Server's handling of the OAuth callback. This issue affects versions up to 1.9.6, allowing remote attackers to manipulate authorization arguments. Exploiting this vulnerability poses significant challenges due to its complexity level, making it difficult to execute. The issue has been disclosed publicly, with a pending pull request aimed at addressing the flaw. Users of affected versions are advised to monitor updates closely and apply patches when available.

Affected Version(s)

cherry-studio 1.9.0

cherry-studio 1.9.1

cherry-studio 1.9.2

Exploit Proof of Concept (PoC)

PoC code is written by security researchers to demonstrate the vulnerability can be exploited. PoC code is also a key component for weaponization which could lead to ransomware.

CVE-2026-13524 - Proof of Concept

References

https://vuldb.com/vuln/374532

vdb-entrytechnical-description

https://vuldb.com/vuln/374532/cti

signaturepermissions-required

https://vuldb.com/cve/CVE-2026-13524

third-party-advisory

CVSS V4

Score:

6.3

Severity:

MEDIUM

Confidentiality:

Low

Integrity:

Low

Availability:

Low

Attack Vector:

Network

Attack Complexity:

High

Attack Required:

None

Privileges Required:

Undefined

User Interaction:

None

Download the Critical Vulnerability Management Cheat Sheet

Timeline

🟡
Public PoC available
Jun 29, 2026
👾
Exploit known to exist
Jun 29, 2026
Vulnerability published
Jun 29, 2026
Vulnerability Reserved
Jun 28, 2026

Credit

dem0000 (VulDB User)

VulDB CNA Team

CVE-2026-13524 Data

JSON

Cherryhq