CSIRTS // UNIFIED SECURITY ADVISORY FEEDSYS ● ONLINE · POWERED BY INTELFUSIONS.COM

CVE-2026-13524

mediumCVSS 5.6covered by 1 sourcefirst seen 2026-06-29
A security vulnerability has been detected in CherryHQ cherry-studio up to 1.9.6. This vulnerability affects unknown code of the file src/main/services/mcp/oauth/callback.ts of the component MCP OAuth Local Callback Server. The manipulation of the argument code leads to improper authorization. The attack can be initiated remotely. The attack is considered to have high complexity. It is stated that the exploitability is difficult. The exploit has been disclosed publicly and may be used. The pull request to fix this issue awaits acceptance.

⚡ Watch CVE-2026-13524

Get an email if CVE-2026-13524 is added to CISA KEV, gains public exploit code, or a new advisory cites it — max one per day, one-click unsubscribe.

Exploitation outlook

Advisory coverage (1)

External references

NVD record for CVE-2026-13524

CVE.org record

Embed the live status

CVE-2026-13524 live status badge — this badge updates automatically when the KEV or exploit status changes. How to embed it →

[![CVE-2026-13524 status](https://www.csirts.com/badge/CVE-2026-13524)](https://www.csirts.com/cve/CVE-2026-13524)