CVE-2026-40501

CherryHQ · cherry-studio

Cherry Studio is susceptible to an inclusion of functionality from an untrusted control sphere, leading to remote code execution.

Executive summary

A critical misconfiguration in Cherry Studio allows for remote code execution through the inclusion of untrusted functionality, posing a significant security risk.

Vulnerability

This issue involves the inclusion of functionality from an untrusted control sphere (CWE-829) due to a misconfiguration in the SearchService node integration. It allows an unauthenticated attacker to achieve remote code execution via user-assisted interaction.

Business impact

The CVSS score of 8.8 reflects the high severity of this remote code execution flaw. If exploited, an attacker could gain full control over the application environment, potentially leading to unauthorized access to sensitive user data and long-term compromise of the host system.

Remediation

Immediate Action: Upgrade to the latest version of cherry-studio that incorporates the patch provided in commit 151853035e8e417a51559ebfc243eda98361a882.

Proactive Monitoring: Review application performance and access logs for anomalous behavior related to SearchService requests or unexpected file system modifications.

Compensating Controls: Restrict application access to trusted internal networks and utilize endpoint security solutions to monitor for unauthorized execution of child processes by the Cherry Studio application.

Exploitation status

Public Exploit Available: Unknown.

Analyst recommendation

Given the availability of a proof-of-concept and the high technical impact, organizations should treat this vulnerability with high urgency. Applying the vendor-provided update is the only effective way to remediate the underlying misconfiguration.