CVE-2026-13524 | CherryHQ cherry-studio up to 1.9.6 MCP OAuth Local Callback Server callback.ts code improper authorization (Issue 15372 / EUVD-2026-40021)
A vulnerability has been found in CherryHQ cherry-studio up to 1.9.6 and classified as critical. This vulnerability affects unknown code of the file src/main/services/mcp/oauth/callback.ts of the component MCP OAuth Local Callback Server. The manipulation of the argument code leads to improper authorization.
This vulnerability is documented as CVE-2026-13524. The attack can be initiated remotely. Additionally, an exploit exists.
The pull request to fix this issue awaits acceptance.