Critical Cline AI Agent Vulnerability Allows RCE Attacks

A critical vulnerability within the Cline Kanban server allows threat actors to exfiltrate workspace data and remotely execute arbitrary code silently.

Security researcher TheRealSpencer recently published details of this cross-origin WebSocket hijacking vulnerability affecting the widely adopted open-source AI coding assistant.

The vulnerability is tracked as CVE-2026-44211 and carries a near-maximum severity score of 9.7.

Researchers at Oasis Security noted that the issue stems from missing origin validation on the local server exposed by the package.

Developers using the affected software are at high risk simply by visiting a malicious webpage. At the same time, the server runs in the background.

Cline AI Agent Vulnerability

The core issue resides in the kanban npm package used by the Cline command-line interface.

When launched, the application starts a local WebSocket server on port 3484 without implementing authentication or checking the origin header of incoming requests.

This architectural oversight means that any external website a developer visits can establish a connection to the local server without any user intervention.

Security analysts observed that web browsers do not restrict cross-origin WebSocket connections to localhost, allowing malicious JavaScript to interact freely with the exposed endpoints.

Once connected to the runtime stream, attackers can instantly leak sensitive information, including filesystem paths, git branch details, task titles, and live AI agent chat messages.

Beyond information disclosure, the vulnerability allows remote attackers to seize control of running AI agent terminals.

By connecting to the terminal input-output WebSocket, threat actors can inject arbitrary prompts directly into the agent’s active workspace.

The system processes these injected commands just like native user input, turning basic text injection into full remote code execution when followed by a carriage return.

Security experts have demonstrated that this can be used to execute malicious shell commands on the victim’s operating system without any direct user interaction.

Additionally, the control server endpoint can be manipulated to terminate active sessions, creating a denial-of-service condition.

The exploit is effective across any platform where Node.js and Cline are deployed, including macOS, Linux, and Windows environments.

There are currently no patched versions available for this critical vulnerability, leaving developers exposed when using older versions of the Cline CLI.

Mitigation requires significant structural changes to the application’s local web server implementation.

Following the publication by TheRealSpencer on GitHub, security professionals advised developers to validate origin headers to prevent unauthorized WebSocket upgrades.

Furthermore, generating and requiring a randomized session token at server startup would effectively block external origins from guessing the necessary connection parameters.

Until official patches are released, developers should exercise extreme caution when navigating the internet while running the Cline Kanban application.

Disclaimer: HackersRadar reports on cybersecurity threats and incidents for informational and awareness purposes only. We do not engage in hacking activities, data exfiltration, or the hosting or distribution of stolen or leaked information. All content is based on publicly available sources.