OpenClaude MCP OAuth Callback: State Check Bypass via error Param Leads to DoS — CVE-2026-42073

Summary

# OAuth State Validation Bypass via `error` Parameter Causes Local Server DoS in MCP Auth Callback --- ## Description The OpenClaude MCP authentication flow starts a temporary local HTTP server to handle OAuth callbacks. To prevent CSRF attacks, the server validates a `state` parameter against an internally stored value. However, due to a logic flaw in the order of conditionals, an attacker can completely bypass…

Product

npm: @gitlawb/openclaude

What to do

General, cautious steps (verify details in the official source):

• Review exposure and plan remediation based on risk and environment.
• Identify affected product versions in your inventory and verify whether you are impacted.
• Apply vendor patches/updates or recommended mitigations as soon as available.
• Read the official advisory for exact affected versions and remediation steps.

Official advisory

• Read the official source
• CVE Record
• NVD

Related advisories