CVE-2026-42073 Overview
CVE-2026-42073 is a Cross-Site Request Forgery (CSRF) vulnerability in OpenClaude, an open-source coding-agent command line interface for cloud and local model providers. The flaw affects the Model Context Protocol (MCP) authentication flow, which spins up a temporary local HTTP server to receive OAuth callbacks. A logic error in the order of conditional checks allows an attacker to bypass state parameter validation and force the local server to terminate. The issue is fixed in version 0.5.1.
Critical Impact
An attacker can shut down the OpenClaude OAuth callback server without knowing the state value, disrupting the MCP authentication flow and impacting availability.
Affected Products
- Gitlawb OpenClaude versions prior to 0.5.1
- OpenClaude MCP authentication flow (OAuth callback handler)
- Local HTTP callback server component
Discovery Timeline
- 2026-06-02 - CVE-2026-42073 published to NVD
- 2026-06-03 - Last updated in NVD database
Technical Details for CVE-2026-42073
Vulnerability Analysis
OpenClaude implements its MCP authentication flow by launching a temporary local HTTP server that listens for the OAuth provider's redirect callback. The server is expected to validate an incoming state query parameter against an internally stored value to prevent CSRF attacks against the local listener. This is the standard OAuth 2.0 mitigation defined by [CWE-352].
The vulnerability stems from a logic flaw in the order of conditionals that guard the validation routine. Because the checks evaluate in the wrong sequence, a crafted request reaches a code path that terminates the callback server before the state value is compared. An attacker does not need to know or guess the legitimate state token to trigger the shutdown.
Exploitation requires a victim to visit attacker-controlled content while the OpenClaude OAuth flow is active. The result is a denial-of-service condition against the local authentication listener, interrupting agent setup and MCP provider onboarding.
Root Cause
The root cause is improper ordering of conditional checks in the OAuth callback handler. The server-shutdown branch executes before, or independent of, the state comparison, breaking the CSRF protection contract.
Attack Vector
The attack vector is network-based and requires user interaction. An attacker hosts a web page that issues a request to the OpenClaude callback endpoint on localhost while the user has an active authentication flow. The malicious request reaches the unauthenticated code path and causes the local HTTP server to stop, aborting the authentication.
No verified public exploit code is available. See the GitHub Security Advisory GHSA-c73c-x77g-854r for vendor-provided technical context.
Detection Methods for CVE-2026-42073
Indicators of Compromise
- Unexpected termination of the OpenClaude local OAuth callback HTTP server during an active MCP authentication flow.
- Inbound HTTP requests to the OpenClaude loopback callback port originating from browser sessions navigating attacker-controlled pages.
- Repeated failed or incomplete OAuth flows reported by OpenClaude users running versions prior to 0.5.1.
Detection Strategies
- Inventory developer endpoints for OpenClaude installations and identify versions below 0.5.1 using software asset management telemetry.
- Monitor process telemetry for short-lived local HTTP listeners spawned by the OpenClaude CLI and correlate against unexpected exit events.
- Inspect browser and proxy logs for cross-origin requests to localhost callback ports during OAuth windows.
Monitoring Recommendations
- Alert on OpenClaude processes that exit during an in-progress OAuth handshake without completing token exchange.
- Track outbound DNS and HTTP requests from developer workstations to newly registered domains that subsequently trigger localhost callbacks.
- Review GitHub dependency and supply chain alerts referencing GHSA-c73c-x77g-854r.
How to Mitigate CVE-2026-42073
Immediate Actions Required
- Upgrade OpenClaude to version 0.5.1 or later on all developer workstations and build agents.
- Audit recent MCP authentication flows for unexpected interruptions that may indicate exploitation attempts.
- Restrict developer browsers from loading untrusted content during active OAuth authorization windows.
Patch Information
The vulnerability is patched in OpenClaude 0.5.1. The fix reorders the conditional checks in the OAuth callback handler so that state validation occurs before any server-shutdown logic executes. See the GitHub commit 739b8d1 and the GitHub Release v0.5.1 for details.
Workarounds
- Avoid running the OpenClaude MCP authentication flow while browsing untrusted websites if upgrade is not immediately possible.
- Use host firewall rules to restrict inbound connections to the OpenClaude callback port from non-browser local processes.
- Close all unnecessary browser tabs before initiating an MCP OAuth flow to reduce CSRF exposure.
# Upgrade OpenClaude to the patched release
npm install -g openclaude@0.5.1
openclaude --version
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
