What happened
CherryHQ cherry-studio up to version 1.9.6 contains an improper authorization vulnerability in the MCP OAuth local callback server (src/main/services/mcp/oauth/callback.ts). Manipulation of the 'code' argument in the OAuth callback flow allows a remote attacker to bypass authorization controls, potentially hijacking MCP OAuth sessions or intercepting authorization codes.
Why it matters
Cherry Studio is a desktop AI client that connects to MCP servers using OAuth. An authorization bypass in the OAuth callback allows an attacker to hijack the OAuth flow and obtain tokens for MCP servers that Cherry Studio is authenticated to — granting attacker access to all tools and data sources the victim's MCP integrations can reach.
Attack vector
Remote attacker manipulates the OAuth callback 'code' parameter in the MCP OAuth local callback server to bypass authorization checks and hijack or forge an OAuth session.
Affected systems
CherryHQ/cherry-studio ≤ 1.9.6
Mitigation
Upgrade to CherryHQ/cherry-studio > 1.9.6. See: https://github.com/CherryHQ/cherry-studio/