CVE-2026-13534 CherryHQ CVE debrief

Who should care

Security teams responsible for CherryHQ cherry-studio up to 1.9.7 should be aware of this vulnerability. Due to the high complexity and difficult exploitability, defenders should prioritize patching and monitoring for potential exploitation attempts. Organizations using the affected version should assess their exposure and take necessary actions.

Technical summary

CVE-2026-13534 is an authorization bypass vulnerability in the CherryHQ cherry-studio up to 1.9.7. The vulnerability is located in the sha256 function of the MemoryService.ts file in the CherryIN Preload API component. An attacker can manipulate the state argument to bypass authorization. The CVSS score is 1.3, indicating a low severity. The attack vector is network-based, and the attack complexity is high.

Defensive priority

Defenders should prioritize patching the vulnerability and monitoring for potential exploitation attempts. Due to the high complexity and difficult exploitability, defenders may also consider compensating controls and exception tracking.

Recommended defensive actions

• Apply the vendor's planned patch in version 2.
• Monitor for potential exploitation attempts.
• Perform a thorough inventory check to identify affected systems.
• Implement compensating controls to mitigate potential exploitation.
• Track exceptions and anomalies in system behavior.

Evidence notes

The CVE-2026-13534 vulnerability was detected in CherryHQ cherry-studio up to 1.9.7. The vulnerability affects the function sha256 of the file src/main/services/memory/MemoryService.ts of the component CherryIN Preload API. The attack can be initiated remotely, but its complexity is rated as high and exploitability is difficult. The exploit is now public and may be used.

Official resources