CVE-2026-13534
Received Received - Intake

Authorization Bypass in CherryStudio via MemoryService

Publication date: 2026-06-29

Last updated on: 2026-06-29

Assigner: VulDB

Description
A vulnerability was detected in CherryHQ cherry-studio up to 1.9.7. This affects the function sha256 of the file src/main/services/memory/MemoryService.ts of the component CherryIN Preload API. Performing a manipulation of the argument state results in authorization bypass. The attack can be initiated remotely. The attack's complexity is rated as high. It is indicated that the exploitability is difficult. The exploit is now public and may be used. The vendor explains, that "[m]emory is planned to be removed in v2 version."

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2026-06-29
Last Modified
2026-06-29
Generated
2026-06-29
AI Q&A
2026-06-29
EPSS Evaluated
N/A
NVD
CVE-2026-13534
EUVD
EUVD-2026-40031

Affected Vendors & Products

Showing 1 associated CPE
Vendor Product Version / Range
cherryhq cherry_studio to 1.9.7 (inc)

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-285 The product does not perform or incorrectly performs an authorization check when an actor attempts to access a resource or perform an action.
CWE-639 The system's authorization functionality does not prevent one user from gaining access to another user's data or record by modifying the key value identifying the data.

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Detection Guidance

The vulnerability involves the memory deduplication mechanism in Cherry Studio where the deduplication key is based solely on the SHA256 hash of the memory text, ignoring user and assistant scope boundaries. Detection would involve checking if identical memory entries from different users or assistants are being incorrectly blocked or if memory insertions are skipped due to global hash collisions.

To detect this on your system, you could inspect the database or logs for instances where memory insertions are rejected due to duplicate SHA256 hashes despite different user or assistant IDs.

Suggested commands might include querying the database for memory entries with identical SHA256 hashes but different user_id or agent_id values, for example (assuming a SQL database):

  • SELECT sha256_hash, COUNT(DISTINCT user_id) AS user_count, COUNT(DISTINCT agent_id) AS agent_count FROM memory_table GROUP BY sha256_hash HAVING user_count > 1 OR agent_count > 1;
  • Check application logs for errors or warnings related to memory insertion failures or authorization bypass attempts.
Compliance Impact

The vulnerability in CherryHQ cherry-studio allows an authorization bypass through manipulation of the argument state in the memory deduplication function. This flaw causes memory deduplication to ignore user and assistant scope boundaries, potentially exposing that identical memory content exists across different users or assistants. Such exposure can lead to unauthorized inference of sensitive information between users.

This cross-scope information leakage could impact compliance with data protection regulations like GDPR and HIPAA, which require strict access controls and confidentiality of personal and sensitive data. By allowing one user to infer the existence of another user's data, the vulnerability undermines data isolation and confidentiality principles mandated by these standards.

However, the attack complexity is high and exploitability is difficult, and the vendor plans to remove the affected memory feature in a future version, which may mitigate long-term compliance risks.

Executive Summary

The vulnerability in CherryHQ cherry-studio up to version 1.9.7 affects the memory deduplication mechanism in the CherryIN Preload API, specifically in the sha256 function of MemoryService.ts. The deduplication key is based solely on the SHA256 hash of the memory text, ignoring user and assistant scope boundaries. This causes identical memory content from different users or assistants to be treated as duplicates, preventing legitimate storage and allowing inference of memory existence across scopes. An attacker can manipulate the argument state remotely to bypass authorization and exploit this flaw.

Impact Analysis

This vulnerability can impact users by allowing unauthorized inference of memory content stored by other users or assistants, violating data isolation. For example, if one user stores sensitive information, another user can detect its existence by attempting to store the same content and observing the deduplication behavior. Additionally, it can prevent legitimate memory storage for different users if the content is identical, and may cause incorrect restoration of deleted memories with wrong ownership. The attack can be initiated remotely but is considered difficult to exploit.

Mitigation Strategies

Immediate mitigation involves applying the fix that scopes the memory deduplication key to include user_id and agent_id, preventing cross-scope authorization bypass.

Since the vendor plans to remove the memory feature in version 2, a short-term fix is to update Cherry Studio to include the patch that modifies the hashing mechanism to incorporate schema version, user, assistant, and trimmed memory text.

If updating is not immediately possible, consider restricting remote access to the affected component or enforcing stricter access controls to reduce the risk of remote exploitation.

Monitor for public exploits and apply vendor updates as soon as they become available.

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-13534. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart