cbcvebase.
CVE-2026-42073
published 2026-06-02

CVE-2026-42073: OpenClaude is an open-source coding-agent command line interface for cloud and local model providers. Prior to version 0.5.1, the OpenClaude MCP authentication…

PriorityP434medium6.5CVSS 3.1
AVNACLPRNUIRSUCNINAH
EPSS
0.22%
12.2th percentile
OpenClaude is an open-source coding-agent command line interface for cloud and local model providers. Prior to version 0.5.1, the OpenClaude MCP authentication flow starts a temporary local HTTP server to handle OAuth callbacks. To prevent CSRF attacks, the server validates a state parameter against an internally stored value. However, due to a logic flaw in the order of conditionals, an attacker can completely bypass this check and force the server to shut down — without knowing the state value at all. This issue has been patched in version 0.5.1.

Affected

2 ranges
VendorProductVersion rangeFixed in
gitlawbopenclaude< 0.5.10.5.1
gitlawbopenclaude>= 0 < 0.5.10.5.1
Stop checking back — get the weekly exploitation signal.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.

CVE-2026-42073 — Cross-Site Request Forgery | cvebase