A critical vulnerability in Cline’s built-in kanban server has left millions of developers exposed to silent workspace hijacking, enabling any malicious website to exfiltrate sensitive data and remotely execute commands through their AI coding agent. Oasis Security researchers disclosed the flaw on May 7, 2026, assigning it a CVSS score of 9.7.
The vulnerability affects version 0.1.59 of the Kanban npm package and has been patched in Cline version 0.1.66. Cline is among the most widely adopted open-source AI coding agents, trusted by developers with privileged access to source code, terminals, git repositories, and cloud credentials.
Cline Kanban WebSocket Flaw
The kanban server opens a WebSocket listener on the developer’s local machine to enable real-time communication between the management UI and active agent sessions. Critically, all three WebSocket endpoints lacked both Origin header validation and authentication entirely.
The implicit assumption was that binding to 127.0.0.1 confined access to the local machine. However, browsers do not enforce cross-origin restrictions on WebSocket connections to localhost the same way they do for standard HTTP requests.
Unlike regular HTTP calls governed by CORS policies, WebSocket upgrade requests bypass same-origin policy enforcement. This means JavaScript on any external domain can silently open a connection to localhost, and the server accepts it without challenge.
Oasis Security’s technical analysis identified three separate attack paths unlocked by the missing origin check.
The first involved automatic data exfiltration. The moment a cross-origin connection was established, the runtime endpoint automatically sent a full workspace snapshot to the attacker, including filesystem paths, task titles, git branch names, and the entire AI agent chat history.
The second and most severe vector was remote code execution via terminal hijacking. The terminal endpoint provided raw, bidirectional access to the AI agent’s pseudo-terminal, with messages written directly to the input buffer.
An attacker’s JavaScript could inject a crafted prompt followed by a simulated keypress, causing the agent to execute arbitrary shell commands with full user privileges, with no alert raised to the developer.
The third vector involved a separate control endpoint that allowed any connected client to terminate active agent sessions, enabling denial-of-service attacks that could disrupt developer workflows at will.
The overall risk was significantly amplified by Cline’s default “bypass permissions” flag, which allows the AI agent to execute shell commands and modify the filesystem without per-action authorization. Oasis Security specifically recommended disabling this setting as an immediate mitigation measure.
Mitigation
Security teams and developers should take the following actions immediately:
- Update Cline to version 0.1.66 or later to apply the official patch
- Disable the “Enable bypass permissions” flag in Cline application settings
- Audit all AI agent tools that open local WebSocket listeners and verify Origin header validation is enforced
- Apply host-based firewall rules restricting which processes can bind to local network ports
- Stop treating localhost as a security boundary when browser-accessible
Oasis Security noted this vulnerability follows the same pattern documented in its earlier OpenClaw research, suggesting the localhost-as-trust-boundary assumption is systemic across AI coding agent platforms.
AI coding agents broadly carry credential access, code execution capability, and CI/CD integration, making unvalidated local listeners an escalating threat class.
As AI agents gain greater autonomy across development environments, organizations need purpose-built controls: intent analysis that distinguishes legitimate instructions from injected commands, just-in-time credential scoping, and comprehensive audit trails spanning the developer, the agent, and every resulting action.
No Comment! Be the first one.