Critical Cline AI Agent RCE Vulnerability Patched
Key Takeaways A critical cross-origin WebSocket hijacking vulnerability (CVE-2026-44211) has been discovered in the Cline Kanban server. The flaw allows remote attackers to exfiltrate sensitive...
Key Takeaways
- A critical cross-origin WebSocket hijacking vulnerability (CVE-2026-44211) has been discovered in the Cline Kanban server.
- The flaw allows remote attackers to exfiltrate sensitive workspace data and achieve remote code execution (RCE) on affected systems.
- The vulnerability impacts developers using the open-source Cline AI coding assistant across macOS, Linux, and Windows environments.
- Currently, no official patches are available, leaving users of older Cline CLI versions exposed.
A severe security vulnerability has been identified within the Cline Kanban server, presenting a significant risk of data exfiltration and silent remote code execution for affected users. This critical flaw impacts the widely adopted open-source AI coding assistant, according to recent disclosures.
Security researcher TheRealSpencer brought attention to the details of this cross-origin WebSocket hijacking vulnerability. The issue, officially designated as CVE-2026-44211, carries a high CVSS severity score of 9.7, underscoring its potential for widespread impact.
Analysis by researchers at Oasis Security indicates that the root cause of the problem lies in the local server exposed by the package, which fails to implement proper origin validation. This oversight leaves developers using the software vulnerable to attack simply by visiting a malicious webpage while the Cline server operates in the background.
Understanding the Cline AI Agent Vulnerability
The core of the vulnerability resides within the kanban npm package, a component integral to the Cline command-line interface. When the Cline application is launched, it initiates a local WebSocket server on port 3484. Crucially, this server operates without any authentication mechanisms and neglects to verify the origin header of incoming requests.
This architectural deficiency means that any external website a developer browses can establish a connection to their local Cline server without requiring any explicit user interaction. Security analysts have confirmed that standard web browsers do not impose restrictions on cross-origin WebSocket connections to localhost, thereby allowing malicious JavaScript to interact freely with the exposed endpoints.
Upon establishing a connection to the runtime stream, attackers gain immediate access to sensitive information. This includes, but is not limited to, filesystem paths, details of git branches, task titles, and live chat messages from the AI agent.
Beyond mere information disclosure, the vulnerability extends to enabling remote attackers to take control of active AI agent terminals. By connecting to the terminal’s input-output WebSocket, threat actors can inject arbitrary commands directly into the agent’s operational workspace. The system processes these injected commands as if they were legitimate user input, facilitating full remote code execution when followed by a carriage return.
Security experts have successfully demonstrated that this mechanism can be exploited to execute malicious shell commands on the victim’s operating system without any direct user interaction. Furthermore, the control server endpoint can be manipulated to terminate active sessions, leading to a denial-of-service condition.
The exploit’s efficacy spans all platforms where Node.js and Cline are deployed, encompassing macOS, Linux, and Windows environments. At present, no official patched versions are available to address this critical vulnerability, leaving developers who utilize older Cline CLI versions exposed to potential compromise.
Effective mitigation requires fundamental structural modifications to the application’s local web server implementation. Following the public disclosure by TheRealSpencer on GitHub, cybersecurity professionals have recommended that developers implement origin header validation to prevent unauthorized WebSocket upgrades. Additionally, generating and mandating a randomized session token at server startup could effectively block external origins from guessing the necessary connection parameters.
What You Should Do
- Avoid running the Cline Kanban application when navigating untrusted or potentially malicious websites.
- Monitor official Cline channels for updates and apply patches immediately once they become available.
- Until official patches are released, consider implementing network-level restrictions or firewall rules to limit external access to port 3484 on your local machine.
- Exercise extreme caution with any prompts or commands processed by your AI agent, as they could be manipulated by an attacker.
Disclaimer: HackersRadar reports on cybersecurity threats and incidents for informational and awareness purposes only. We do not engage in hacking activities, data exfiltration, or the hosting or distribution of stolen or leaked information. All content is based on publicly available sources.



No Comment! Be the first one.