A critical cross-origin WebSocket hijacking vulnerability (CVSS 9.7) in Cline’s local kanban server, one of the most widely used open-source AI coding agents in the developer ecosystem.
The flaw allowed any website a developer visited while Cline was running to silently connect to their machine, harvest sensitive workspace data in real time, and inject arbitrary shell commands into their AI agent, all without triggering a single visible alert.
Cline is among the most widely adopted open-source AI coding agents available today, trusted by developers worldwide with deep-level access to their environments, including source code, terminal sessions, git repositories, and cloud credentials.
What makes it particularly powerful and, in this case, particularly dangerous is its support for autonomous agent operation, where it can act on a developer’s behalf without requiring per-step confirmation.
Cline Kanban WebSocket Vulnerability
The Cline Kanban feature provides a browser-accessible project management interface backed by a local HTTP and WebSocket server running on port 3484. This server is designed to enable real-time communication between the Kanban management UI and active AI agent sessions.
The critical assumption underpinning its design was that binding to 127.0.0.1 would restrict access to only the local machine. That assumption was wrong. Unlike standard HTTP requests, WebSocket connections are not governed by the browser same-origin policy (SOP) or Cross-Origin Resource Sharing (CORS) restrictions.
This creates a well-documented but frequently exploited blind spot: any JavaScript running on any webpage, regardless of its origin domain, can establish a WebSocket connection to a localhost server, and the browser will permit it without any challenge.
All three WebSocket endpoints in Cline’s Kanban server lacked Origin header validation on upgrade requests and required no session authentication token. This single, systemic omission transformed a private developer tool into a remotely accessible attack surface reachable from any tab the developer happened to have open.
The exploit chain is deceptively simple and requires no malware installation, no phishing email, and no social engineering of any kind. The attack unfolds in three stages, each leveraging a separate unauthenticated WebSocket endpoint.
Real-Time Intelligence Gathering: The moment a cross-origin connection is established to the runtime state endpoint, the server delivers a full snapshot of the developer’s workspace filesystem directory paths, task titles and descriptions, git branch names, commit history, and AI agent chat logs.
The server then continues streaming live updates as the developer works, effectively giving the attacker persistent eyes inside the development environment.
Terminal Hijack and Remote Code Execution: The second endpoint provides raw, bidirectional access to the AI agent’s pseudo-terminal, allowing messages to be written directly to the input buffer. An attacker’s JavaScript identifies an active task ID from the runtime stream, opens the terminal endpoint, and injects a crafted prompt followed by a simulated keypress.
The agent interprets this as a legitimate user instruction and executes the shell command the attacker chose, running it with the developer’s full operating system privileges. From the developer’s perspective, nothing happened. The attacker they have a shell.
Denial-of-Service via Session Control: A third control channel endpoint allows any connected client to terminate active agent tasks forcibly. While less dramatic than code execution, this capability allows an attacker to disrupt ongoing development work, corrupt multi-step agentic processes, and introduce operational chaos on demand.
The severity is compounded by Cline’s default “bypass permissions” flag, which configures the AI agent to execute shell commands and modify the filesystem without requesting per-action authorization from the developer.
With this flag enabled (it is enabled by default), a single injected terminal command runs without any confirmation dialog. Turning off this setting as an immediate interim mitigation step, independent of patching.
Trey Ford, Chief Strategy and Trust Officer at Bugcrowd, described the broader implication clearly: “This vulnerability required no phishing, no malware, and no social engineering. Patching Cline to v0.1.66 closes this specific exposure. Auditing every AI tool that opens a local listener is the actual job to be done.”
Patch and Mitigation
The vulnerability specifically affects version 0.1.59 of the Kanban npm package. Oasis Security followed responsible disclosure protocols, reporting the findings to Cline before public release.
The Cline team responded promptly and deployed a fix in version 0.1.66, which introduces proper Origin validation across all three WebSocket endpoints. Sagi Layani, Solutions Architect at Oasis Security, confirmed: “The Cline team responded very quickly after the disclosure and were great to work with throughout the process.”
Security teams and individual developers should take the following actions now:
- Update the Cline Kanban npm package to version 0.1.66 or later immediately
- Turn off the “Enable bypass permissions flag” in Cline Settings to restrict autonomous shell execution
- Audit all AI development tools in your environment that expose local WebSocket or HTTP listeners, and verify each performs strict Origin header validation.
- Apply host-based firewall rules or endpoint security policies to restrict which processes can bind to localhost network ports.
- Treat localhost as routable from the browser, not as a security boundary.
This disclosure follows a recognizable pattern. Oasis Security previously documented an identical localhost-trust-boundary error in their OpenClaw research, suggesting the misconfiguration is systemic across AI coding agent platforms rather than isolated to a single project.
As AI agents are granted broader autonomous privileges in development pipelines, the security posture of every local service they expose becomes a critical organizational risk.
FAQ
Q1: What is the Cline Kanban WebSocket hijack vulnerability?
It is a critical CVSS 9.7 flaw in Cline’s local kanban server where missing Origin validation on all three WebSocket endpoints allowed any website to silently exfiltrate workspace data and inject shell commands into the developer’s AI agent.
Q2: Which version of Cline is affected, and what is the patched version?
The vulnerability affects the Kanban npm package version 0.1.59, and the fix was released in Cline version 0.1.66, which adds proper Origin validation to all WebSocket endpoints.
Q3: Why can’t the browser’s same-origin policy block this attack?
Browsers do not enforce the same-origin policy (SOP) or CORS restrictions on WebSocket upgrade requests, meaning any cross-origin JavaScript can freely connect to localhost WebSocket servers without challenge.
Q4: What should organizations do immediately to protect their development environments?
Organizations should update to Cline v0.1.66, disable the bypass permissions flag, audit all AI tools that expose localhost listeners for Origin validation, and enforce host-based firewall rules to restrict unauthorized port bindings.
Site: thecybrdef.com
For more insights and updates, follow us on Google News, Twitter, and LinkedIn.
About the Author
