Authorization Bypass in CherryHQ cherry-studio by CherryIN Preload API
CVE-2026-13534

2.3LOW

Key Information:

Vendor: Cherryhq
Status: Cherry-studio
Vendor: CVE Published:; 29 June 2026

Badges

👾 Exploit Exists🟡 Public PoC

What is CVE-2026-13534?

A vulnerability in the CherryIN Preload API of CherryHQ's cherry-studio, specifically within the sha256 function of the MemoryService module, allows for an authorization bypass. This flaw arises from manipulating the argument state, presenting a risk that can be exploited remotely. The complexity of executing this attack is rated as high, but it is worth noting that exploitability remains difficult. As the threat landscape evolves, the vendor has indicated plans to remove the affected memory function in a future version (v2).

Affected Version(s)

cherry-studio 1.9.0

cherry-studio 1.9.1

cherry-studio 1.9.2

Exploit Proof of Concept (PoC)

PoC code is written by security researchers to demonstrate the vulnerability can be exploited. PoC code is also a key component for weaponization which could lead to ransomware.

CVE-2026-13534 - Proof of Concept

References

https://vuldb.com/vuln/374542

vdb-entrytechnical-description

https://vuldb.com/vuln/374542/cti

signaturepermissions-required

https://vuldb.com/cve/CVE-2026-13534

third-party-advisory

CVSS V4

Score:

2.3

Severity:

LOW

Confidentiality:

Low

Integrity:

Low

Availability:

Low

Attack Vector:

Network

Attack Complexity:

High

Attack Required:

None

Privileges Required:

Undefined

User Interaction:

None

Download the Critical Vulnerability Management Cheat Sheet

Timeline

🟡
Public PoC available
Jun 29, 2026
👾
Exploit known to exist
Jun 29, 2026
Vulnerability published
Jun 29, 2026
Vulnerability Reserved
Jun 28, 2026

Credit

dem0000 (VulDB User)

VulDB CNA Team

CVE-2026-13534 Data

JSON

Cherryhq