Cherry Studio was exposed for continuing to secretly transmit device information after turning off "Anonymous Statistics," with the author admitting the switch failed.

ME News Report, April 20 (UTC+8), according to Beating Monitoring, open-source AI client Cherry Studio was found by users to have its privacy switch malfunctioning. GitHub user Yuerchu posted a packet capture screenshot in Issue #14387: after turning off “Anonymous error reporting and data statistics,” the client still continued to send requests to analytics.cherry-ai.com. Cherry Studio is led by domestic developer kangfenmao, supporting multiple large model aggregations and local knowledge bases, making it one of the most popular open-source AI desktop clients among domestic users. The client reports three types of events: each AI conversation, each application startup, and each update check. Only the conversation event respects user settings; the other two bypass the switch and send data directly. Each request includes a unique device ID, along with system info, CPU architecture, application version, and more, effectively enabling long-term tracking of this computer. Reviewing the code, it can be seen that when this reporting mechanism was added in February 2026, the switch was functional. By March 22, maintainer kangfenmao modified a version himself, removing the switch check and also adding more device information into the request headers. These changes were present in versions v1.8.3, v1.8.4, v1.9.0, and v1.9.1, running for a month. Kangfenmao admitted the issue in the issue thread, explaining that different events used different logic for switch judgment; after turning off the setting, requests for app startup and update checks were not blocked. Sensitive data such as chat content, user input, files, and API keys do not go through this channel. The fix PR #14390 has been merged, unifying the three event types to use the same switch. There is an even earlier layer to this issue. Community members found that in February 2025, when the project first added analytics features, a script was also embedded: for users upgrading from older versions, the “anonymous statistics” switch would automatically be turned on once. Since then, the backend analytics service switched from Google Analytics to PostHog, Sentry, and now to the self-hosted analytics.cherry-ai.com, but this automatic switch-on code has never been removed. That is, users who installed Cherry Studio before February 2025 and then upgraded—regardless of whether they manually turned off the switch initially—would have it turned on again during the upgrade, and to turn it off, they would need to manually do so after upgrading. (Source: BlockBeats)