CVE-2026-42073: OpenClaude MCP OAuth Callback: State Check Bypass via error Param Leads to DoS

The OpenClaude MCP authentication flow starts a temporary local HTTP server to handle OAuth callbacks. To prevent CSRF attacks, the server validates a state parameter against an internally stored value. However, due to a logic flaw in the order of conditionals, an attacker can completely bypass this check and force the server to shut down — without knowing the state value at all.

The vulnerable code looks like this:

if (!error && state !== oauthState) {
rejectOnce(new Error('OAuth state mismatch - possible CSRF attack'))
return
}

if (error) {
cleanup()
rejectOnce(new Error(errorMessage))
return
}

When a request arrives with an error query parameter (e.g., ?error=anything), the first condition becomes false because !error evaluates to false. This means the CSRF check is never reached. Execution falls through to the second block, where cleanup() is called — shutting down the local server and terminating the user’s active authentication session.

The attacker does not need to know the state value. Any request containing an error parameter is enough to trigger the shutdown.