CVE-2026-42073 MEDIUM

CVE-2026-42073: OpenClaude's MCP OAuth Callback: State Check Bypass via error Param Leads to DoS

Vendor Gitlawb
Product openclaude
Weakness CWE-352 · CSRF
Published June 2, 2026
Last update June 2, 2026

CVSS base score

6.5/10
Attack vector Network
Attack complexity Low
Privileges required None
User interaction Required
Confidentiality None
Integrity None

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H

What the vulnerability does

01Description

OpenClaude is an open-source coding-agent command line interface for cloud and local model providers. Prior to version 0.5.1, the OpenClaude MCP authentication flow starts a temporary local HTTP server to handle OAuth callbacks. To prevent CSRF attacks, the server validates a state parameter against an internally stored value. However, due to a logic flaw in the order of conditionals, an attacker can completely bypass this check and force the server to shut down — without knowing the state value at all. This issue has been patched in version 0.5.1.

Key dates

02Disclosure timeline

June 2, 2026 CVE published
June 2, 2026 Record updated