Vulnerability Details CVE-2026-42073
OpenClaude is an open-source coding-agent command line interface for cloud and local model providers. Prior to version 0.5.1, the OpenClaude MCP authentication flow starts a temporary local HTTP server to handle OAuth callbacks. To prevent CSRF attacks, the server validates a state parameter against an internally stored value. However, due to a logic flaw in the order of conditionals, an attacker can completely bypass this check and force the server to shut down — without knowing the state value at all. This issue has been patched in version 0.5.1.
Exploit prediction scoring system (EPSS) score
EPSS Score 0.002
EPSS Ranking 12.1%
CVSS Severity
CVSS v3 Score 6.5
References
Products affected by CVE-2026-42073
-
cpe:2.3:a:gitlawb:openclaude:0.1.6
-
cpe:2.3:a:gitlawb:openclaude:0.1.7
-
cpe:2.3:a:gitlawb:openclaude:0.1.8
-
cpe:2.3:a:gitlawb:openclaude:0.2.0
-
cpe:2.3:a:gitlawb:openclaude:0.2.1
-
cpe:2.3:a:gitlawb:openclaude:0.2.2
-
cpe:2.3:a:gitlawb:openclaude:0.2.3
-
cpe:2.3:a:gitlawb:openclaude:0.3.0
-
cpe:2.3:a:gitlawb:openclaude:0.4.0
-
cpe:2.3:a:gitlawb:openclaude:0.5.0