Logic Flaw in OpenClaude's MCP Authentication Flow
CVE-2026-42073

6.5MEDIUM

Key Information:

Vendor

Gitlawb

Status
Openclaude
Vendor
CVE Published:
2 June 2026

What is CVE-2026-42073?

OpenClaude, an open-source coding-agent command line interface, previously had a vulnerability in its MCP authentication flow. Before version 0.5.1, the system employed a temporary local HTTP server to manage OAuth callbacks. This setup intended to thwart CSRF attacks by validating a state parameter against an internal value. Nonetheless, a logic flaw in the condition-checking sequence allowed attackers to bypass this important security measure entirely. This flaw could enable a malicious user to force the server to shut down without needing knowledge of the state value, thereby compromising its integrity. The issue has been resolved in version 0.5.1.

Affected Version(s)

openclaude < 0.5.1

References

https://github.com/Gitlawb/openclaude/security/advisories...
x_refsource_CONFIRM
https://github.com/Gitlawb/openclaude/commit/739b8d1f40fd...
x_refsource_MISC
https://github.com/Gitlawb/openclaude/releases/tag/v0.5.1
x_refsource_MISC

CVSS V3.1

Score:
6.5
Severity:
MEDIUM
Confidentiality:
None
Integrity:
None
Availability:
None
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
None
User Interaction:
Required
Scope:
Unchanged

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.