Medium severity6.5NVD Advisory· Published Jun 2, 2026· Updated Jun 3, 2026
CVE-2026-42073
CVE-2026-42073
Description
OpenClaude is an open-source coding-agent command line interface for cloud and local model providers. Prior to version 0.5.1, the OpenClaude MCP authentication flow starts a temporary local HTTP server to handle OAuth callbacks. To prevent CSRF attacks, the server validates a state parameter against an internally stored value. However, due to a logic flaw in the order of conditionals, an attacker can completely bypass this check and force the server to shut down — without knowing the state value at all. This issue has been patched in version 0.5.1.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
@gitlawb/openclaudenpm | < 0.5.1 | 0.5.1 |
Affected products
1Patches
Vulnerability mechanics
References
5- github.com/Gitlawb/openclaude/commit/739b8d1f40fde0e401a5cbd2b9a55d88bd5124adnvdPatchWEB
- github.com/Gitlawb/openclaude/security/advisories/GHSA-c73c-x77g-854rnvdExploitVendor AdvisoryWEB
- github.com/advisories/GHSA-c73c-x77g-854rghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2026-42073ghsaADVISORY
- github.com/Gitlawb/openclaude/releases/tag/v0.5.1nvdRelease NotesWEB
News mentions
0No linked articles in our index yet.