CVE-2026-13534 LOW

CVE-2026-13534: CherryHQ cherry-studio CherryIN Preload API MemoryService.ts sha256 authorization

Vendor Cherryhq
Product cherry-studio
Weakness CWE-639 · IDOR
Published June 29, 2026
Last update June 29, 2026

CVSS base score

2.3/10
Attack vector Network
Attack complexity High
Privileges required Low
User interaction None
Confidentiality
Integrity

CVSS vector

CVSS:4.0/AV:N/AC:H/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P

What the vulnerability does

01Description

A vulnerability was detected in CherryHQ cherry-studio up to 1.9.7. This affects the function sha256 of the file src/main/services/memory/MemoryService.ts of the component CherryIN Preload API. Performing a manipulation of the argument state results in authorization bypass. The attack can be initiated remotely. The attack's complexity is rated as high. It is indicated that the exploitability is difficult. The exploit is now public and may be used. The vendor explains, that "[m]emory is planned to be removed in v2 version."

Key dates

02Disclosure timeline

June 29, 2026 CVE published
June 29, 2026 Record updated