Severity by source
CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Network vector per CVE description and CVSS 4.0 input; AC:H for race-condition timing requirement; PR:N as no credentials needed; no availability impact from code injection.
Primary rating from Vendor (VulDB).
CVSS VectorVendor: VulDB
CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
4DescriptionCVE.org
A security vulnerability has been detected in CherryHQ cherry-studio up to 1.9.6. This vulnerability affects unknown code of the file src/main/services/mcp/oauth/callback.ts of the component MCP OAuth Local Callback Server. The manipulation of the argument code leads to improper authorization. The attack can be initiated remotely. The attack is considered to have high complexity. It is stated that the exploitability is difficult. The exploit has been disclosed publicly and may be used. The pull request to fix this issue awaits acceptance.
AnalysisAI
Cherry Studio's MCP OAuth Local Callback Server, in all versions up to 1.9.6, accepts OAuth authorization code callbacks without validating the OAuth state parameter, enabling authorization code injection attacks. The PR diff confirms that src/main/services/mcp/oauth/callback.ts processed any inbound code value without checking a bound state token, allowing a network-positioned attacker to substitute a malicious authorization code during an active OAuth flow. …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | Cherry Studio must be running and the victim user must have actively initiated an MCP OAuth authentication flow - this starts the local callback server that is the attack surface. … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | The CVSS 4.0 score of 6.3 (Medium) with AV:N/AC:H/PR:N/UI:N reflects meaningful operational complexity - successful exploitation requires the attacker to race the legitimate OAuth callback during the narrow window the victim's OAuth flow is in-flight, while also knowing or discovering the dynamically assigned local callback port. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | A user running Cherry Studio initiates an OAuth authentication flow for an MCP server integration, causing the application to start a local HTTP callback server on a dynamically assigned port without binding it exclusively to loopback. An attacker on the same network who discovers or brute-forces the callback port sends a forged HTTP GET request to the callback path with a crafted `code` parameter and no valid `state`, which the unpatched server accepts and forwards as a legitimate authorization code. … |
| Remediation | The primary fix is the upstream patch in GitHub PR #15388 (https://github.com/CherryHQ/cherry-studio/pull/15388), which adds OAuth state validation to the local callback server. … Detailed patch versions, workarounds, and compensating controls in full report. |
Threat intelligence, references, and detailed analysis are available after sign-in.
More in Cherry Studio
View allAuthorization bypass in CherryHQ Cherry Studio up to version 1.9.7 allows authenticated remote attackers to cross user/a
Cherry Studio is a desktop client that supports for multiple LLM providers. Rated critical severity (CVSS 9.6), this vul
Cherry Studio is a desktop client that supports for multiple LLM providers. Rated high severity (CVSS 7.7), this vulnera
Cherry Studio is a desktop client that supports for multiple LLM providers. Rated high severity (CVSS 8.0), this vulnera
Same weakness CWE-285 – Improper Authorization
View allSame technique Authentication Bypass
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-40021
GHSA-9c5h-h4mj-p5ch