Open-source AI desktop client Cherry Studio found to have a privacy-design flaw: after users shut off the option “anonymously sending error reports and data statistics,” the client continues to transmit identification data including device IDs, system information, and CPU architecture. After GitHub user Yuerchu posted packet-capture screenshots in Issue #14387 , developer kangfenmao acknowledged in the comments that the problem is real.
Issue breakdown: three types of events vary in how strictly they follow the “off” setting
(Source: Github)
According to code auditing, the Cherry Studio client reports three types of events, but the behavior of all three differs fundamentally:
AI conversations: normally complies with the user’s switch setting; once turned off, nothing is reported.
App launch: directly bypasses the switch setting; it will be reported regardless of how the user sets it.
Update checks: also directly bypasses the switch setting; it will be reported regardless of how the user sets it.
Each outbound request includes a dedicated device ID, plus an operating system version, CPU architecture, and the app version number—forming a long-term device identification and tracking combination.
Code audit: the switch was deliberately removed on March 22
Community members reviewed the code and found that when this reporting mechanism was first added in February 2026, the switch worked for all three event types. However, on March 22, maintainer kangfenmao submitted a change that didn’t just remove the switch-check logic for app launches and update checks—it also bundled additional device identification information into the request headers.
This problematic code ran continuously across four versions—v1.8.3, v1.8.4, v1.9.0, and v1.9.1—for about a month before the community discovered it and publicly disclosed it.
An even earlier old hole: a hidden script that silently re-enables the upgrade switch
While tracking older versions of the code, the community found another layer of the issue: when the analytics feature was first added in February 2025, an upgrade script was also embedded—whenever a user was upgraded from an older version, the “anonymous statistics” switch would automatically be turned on once. After that, although the analytics service backend was changed in sequence from Google Analytics to PostHog and Sentry, and then to the current self-hosted analytics.cherry-ai.com, this script that automatically turns the switch back on was never removed.
The practical impact is: users who installed Cherry Studio before February 2025 and then performed any upgrades—regardless of whether they previously manually turned off that setting—will have the switch silently re-enabled after every upgrade, and they must manually turn it off again after upgrading.
FAQ
What device information does Cherry Studio specifically collect?
According to code auditing, each reporting request contains: a unique device ID (persistent tracking across sessions), the operating system version, CPU architecture, and the app version number. This combination of information allows long-term identification and tracking of specific devices in the analytics backend; even without a name or account details, it can still form an effective device fingerprint.
Are sensitive data such as chat content and API keys also sent out?
Developer kangfenmao has explicitly stated that sensitive data such as chat content, user input, documents, and API keys does not go through this reporting channel and is outside the scope of impacted data. What is currently being sent is only device-identification-related metadata.
What actions should affected users take now?
The fixed version has been merged via PR #14390, and it is recommended that users update immediately to the latest version. After updating, users should manually confirm that the privacy statistics switch is turned off—because of the issue with the old upgrade script, the upgrade process itself may turn the switch back on again. If you have higher requirements for privacy, it is recommended that after updating you verify—using a network monitoring tool—that requests to analytics.cherry-ai.com have stopped.
Disclaimer: The information on this page may come from third parties and does not represent the views or opinions of Gate. The content displayed on this page is for reference only and does not constitute any financial, investment, or legal advice. Gate does not guarantee the accuracy or completeness of the information and shall not be liable for any losses arising from the use of this information. Virtual asset investments carry high risks and are subject to significant price volatility. You may lose all of your invested principal. Please fully understand the relevant risks and make prudent decisions based on your own financial situation and risk tolerance. For details, please refer to
Disclaimer.
Related Articles
DDC Enterprise Reports Record $39.2M Revenue, Holds 2,383 BTC Worth $182M
DDC Enterprise reports 2025 revenue of $39.2M (+4.6%), holds ~2,383 BTC (~$182M) in the top 30, and unveils the AI-driven DDC Treasury Intelligence Platform for optimized Bitcoin fund management.
GateNews1h ago
ProCap Financial Partners with Kalshi to Offer Prediction Market Research Service
Abstract: ProCap Financial, led by Anthony Pompliano, partners with Kalshi to offer AI-powered research using Kalshi's real-time data within ProCap Insights. The service, the first to license Kalshi data to a paid research firm, aims to publish market analyses, strategies, and mispricing signals amid evolving regulation and enforcement priorities.
Summary: ProCap teams with Kalshi to provide AI-driven research on prediction markets, integrating Kalshi data; aims to reveal mispricings, trends, and strategies amid evolving regulation.
GateNews6h ago
Cobo Launches AI-Driven Agentic Wallet Supporting 80+ Blockchains with Multi-Party Computation Security
Gate News message, April 21 — Singapore-based digital asset custody firm Cobo unveiled the Cobo Agentic Wallet on April 20, a new product designed to enable artificial intelligence systems to independently execute blockchain transactions within a secure and controlled framework. The wallet allows
GateNews11h ago
DDC Enterprise Launches Bitcoin Treasury AI Operating System with Treasury Graph Framework
Gate News message, April 21 — DDC Enterprise, a U.S. publicly listed company, announced the launch of "DDC Treasury Intelligence Platform," an AI operating system designed for enterprise bitcoin reserve management. Developed in collaboration with Appnovation, the platform leverages large language
GateNews12h ago
Portal Launches 2.0 with AI-Native Focus, Led by Former Ubisoft Director Benjamin Charbit
Gate News message, April 21 — Portal, a cross-chain gaming platform, announced the launch of Portal 2.0, driven by a new leadership team backed by Animoca Brands. Benjamin Charbit, former game director at Ubisoft, has been appointed as CEO. The platform is shifting its strategic focus toward
GateNews13h ago
Bitcoin Tops $75K as Ceasefire Hopes Drive Rally
Bitcoin rose on ETF demand while miners sold BTC; margins tightened and AI/HPC-focused pivots could turn miners into AI data-center players, potentially boosting valuations as AI demand grows.
Abstract: Bitcoin rose on ETF demand amid miner selling and tight margins. The report highlights a strategic pivot by public miners toward AI/HPC infrastructure, signaling a potential shift from pure bitcoin mining to AI data-center services and higher valuation multiples.
CryptoFrontier16h ago
