Cline, a widely adopted open-source AI coding agent, has recently patched a severe vulnerability in its local Kanban server. Trusted by developers with deep access to source code, cloud credentials, and terminals, Cline automates complex coding tasks.
However, researchers from Oasis Security uncovered a critical flaw (CVSS 9.7) that allows malicious websites to silently hijack a developer’s machine, steal sensitive workspace data, and inject rogue commands into the AI agent without triggering any warnings.
Cline Kanban WebSocket Vulnerability
The vulnerability stems from how the Kanban server handles real-time communication between its management interface and the AI agent sessions.
The server opens a WebSocket listener on the developer’s machine but fails to implement basic security checks. It lacks origin validation, authentication tokens, and any mechanism to verify that the connecting client is the legitimate Kanban UI.
Because WebSockets are not restricted by standard browser CORS (Cross-Origin Resource Sharing) policies, they sit in a well-known browser security blind spot.
Consequently, any webpage a developer visits can execute malicious JavaScript to bypass standard boundaries and seamlessly connect to the local server, exploiting the missing checks.
This single security oversight grants threat actors three devastating capabilities, starting with real-time intelligence gathering. The moment a cross-origin connection opens, the Kanban server freely transmits a complete snapshot of the developer’s workspace.
An attacker-controlled webpage can silently collect filesystem paths, task details, git branch names, and the complete AI agent chat history as the developer works.
Furthermore, the vulnerability enables terminal hijacking that easily leads to remote code execution. The server exposes a channel for writing directly to the AI agent’s terminal input. Attackers can inject a prompt and simulate a keypress, which the AI agent then accepts as a legitimate instruction.
The agent executes the chosen shell command, effectively handing the attacker a shell on the developer’s machine. Attackers can also execute a denial-of-service attack by terminating active agent tasks, completely disrupting the development workflow.
The attack surface for this vulnerability is remarkably broad, requiring no phishing, social engineering, or malware installation.
A developer merely needs to browse a compromised webpage while the vulnerable Kanban server is running. Oasis Security responsibly disclosed the flaw, and it has been officially patched in Cline version 0.1.66.
Developers utilizing Cline’s Kanban feature must update their software immediately. Furthermore, security teams should audit their broader AI development environments for similar local listener vulnerabilities.
Restricting the exposure of localhost services through host-based firewalls and endpoint security policies can prevent unauthorized processes from binding to network ports.
As AI agents increasingly operate autonomously with highly privileged access, organizations must deploy specialized access management controls to monitor agent behavior and block injected commands.
Follow us on Google News, LinkedIn, and X to Get Instant Updates and Set GBH as a Preferred Source in Google.
