OpenClaude MCP, OAuth State Validation Bypass via Error Parameter, Critical CVE(Not Applicable)

Listen to this Post

The vulnerability exists in the OAuth callback handler of OpenClaude MCP authentication flow. A local HTTP server is started to receive OAuth redirects. To prevent CSRF, the server compares a `state` query parameter with an internally stored oauthState. However, the conditional logic is flawed: the state check is wrapped in if (!error && state !== oauthState). When an attacker adds any `error` parameter to the callback URL (e.g., ?error=anything), `!error` evaluates to false, skipping the entire state validation. Execution then proceeds to the next `if (error)` block, which calls `cleanup()` and shuts down the server immediately. No knowledge of the correct `state` value is required. This allows a remote attacker to terminate any ongoing OAuth session via a cross-origin request (e.g., from a malicious website). The root cause is coupling state validation with absence of error. The fix moves state check before error check, removing the `!error` condition. The vulnerable code pattern is common in Node.js HTTP servers using url.parse(). The attack works over localhost (127.0.0.1) but can be triggered from any origin due to lack of CORS restrictions. The server shutdown prevents completion of authentication, causing denial of service for the user.

dailycve form:

Platform: OpenClaude MCP auth
Version: Not specified
Vulnerability: State validation bypass
Severity: High
date: 2026-05-12

Prediction: Patch date unknown

What Undercode Say:

Analytics: Check logic ordering

Simulate vulnerable server
node poc.js &
Trigger bypass
curl "http://127.0.0.1:12345/callback?error=triggered"
Expected: server stops
Fixed version
if [ "$state" != "$oauthState" ]; then cleanup; exit; fi
if [ -n "$error" ]; then cleanup; exit; fi

Exploit:

Single curl command to kill callback server
curl "http://127.0.0.1:12345/callback?error=DoS"
Malicious JavaScript
fetch('http://127.0.0.1:12345/callback?error=attack', {mode:'no-cors'})

Protection from this CVE:

  • Reorder conditionals: validate state before checking error
  • Remove `!error` dependency from state comparison
  • Use constant-time comparison for state
  • Bind callback server to random port or require referer header

Impact:

  • Denial of service of OAuth callback server
  • Aborted authentication sessions for all users
  • Remote trigger via CSRF without prior knowledge
  • No logging of bypass attempts due to premature shutdown

🎯Let’s Practice Exploiting & Learn Patching For Free:

Sources:

Reported By: github.com
Extra Source Hub:
Undercode

🔐JOIN OUR CYBER WORLD [ CVE News • HackMonitor • UndercodeNews ]

💬 Whatsapp | 💬 Telegram

📢 Follow DailyCVE & Stay Tuned:

𝕏 formerly Twitter 🐦 | @ Threads | 🔗 Linkedin Featured Image

Scroll to Top