CVE-2026-42073
MEDIUM
6,5
Source: [email protected]
Attack Vector: network
Attack Complexity: low
Privileges Required: none
User Interaction: required
Scope: unchanged
Confidentiality: none
Integrity: none
Availability: high
Description
AI Translation Available
OpenClaude is an open-source coding-agent command line interface for cloud and local model providers. Prior to version 0.5.1, the OpenClaude MCP authentication flow starts a temporary local HTTP server to handle OAuth callbacks. To prevent CSRF attacks, the server validates a state parameter against an internally stored value. However, due to a logic flaw in the order of conditionals, an attacker can completely bypass this check and force the server to shut down — without knowing the state value at all. This issue has been patched in version 0.5.1.
352
Cross-Site Request Forgery (CSRF)
StableCommon Consequences
Security Scopes Affected:
Confidentiality
Integrity
Availability
Non-Repudiation
Access Control
Potential Impacts:
Gain Privileges Or Assume Identity
Bypass Protection Mechanism
Read Application Data
Modify Application Data
Dos: Crash, Exit, Or Restart
Applicable Platforms
Technologies:
Web Based, Web Server
400
Uncontrolled Resource Consumption
DraftCommon Consequences
Security Scopes Affected:
Availability
Access Control
Other
Potential Impacts:
Dos: Crash, Exit, Or Restart
Dos: Resource Consumption (Cpu)
Dos: Resource Consumption (Memory)
Dos: Resource Consumption (Other)
Bypass Protection Mechanism
Other
Applicable Platforms
Technologies:
Not Technology-Specific, AI/ML
https://github.com/Gitlawb/openclaude/commit/739b8d1f40fde0e401a5cbd2b9a55d88bd…
https://github.com/Gitlawb/openclaude/releases/tag/v0.5.1
https://github.com/Gitlawb/openclaude/security/advisories/GHSA-c73c-x77g-854r