A vulnerability has been found in CherryHQ cherry-studio up to 1.9.6 and classified as critical . This vulnerability affects unknown code of the file src/main/services/mcp/oauth/callback.ts of the component MCP OAuth Local Callback Server . The manipulation of the argument code leads to improper authorization. This vulnerability is documented as CVE-2026-13524 . The attack can be initiated remotely. Additionally, an exploit exists. The pull request to fix this issue awaits acceptance.