Critical Cline Kanban Remote Code Execution Vulnerability

A critical zero-authentication vulnerability was discovered in the kanban npm package a core component of the Cline AI coding assistant allows any malicious website to silently hijack a developer’s AI agent terminal, leak sensitive workspace data in real-time, and achieve full remote code execution (RCE) without requiring a single click beyond normal tool usage.

Tracked as CVE-2026-44211 and published under GHSA-5c57-rqjx-35g2, the flaw was responsibly disclosed by security researcher TheRealSpencer (GitHub: sagilayani) and carries a critical CVSS v3.1 score of 9.3 (AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H).

As of publication, no patched version exists, leaving all users of kanban versions below v2.13.0 are fully exposed. Cline is a popular AI-powered CLI coding assistant used by developers for task management, terminal interaction, and AI-assisted workflows.

When launched with cline --kanban (or as its default mode), It spawns the kanban npm package, which starts a local WebSocket server bound to 127.0.0.1:3484. This server manages real-time communication between the Cline UI and running AI agent sessions.

Critical Cline Kanban Vulnerability

The catastrophic oversight: the server performs zero Origin header validation and requires no authentication on any of its three WebSocket endpoints. Unlike standard HTTP requests, WebSocket connections bypass the browser’s Cross-Origin Resource Sharing (CORS) policy entirely.

Browsers will freely initiate WebSocket handshakes to localhost from any origin, meaning a simple malicious webpage can silently connect to a developer’s running kanban server without triggering any browser-side security warning.

The attack unfolds in four stages:

Stage 1 – Information exfiltration: A cross-origin JavaScript connection to ws://127.0.0.1:3484/api/runtime/ws immediately receives a full workspace snapshot, including filesystem paths, task titles and descriptions, git branch names, and live AI agent chat messages streamed in real-time.
Stage 2 – Session detection: The same WebSocket broadcasts task_sessions_updated events whenever an AI agent session becomes active, leaking the taskId, workspaceId, and process PID.
Stage 3 – Terminal hijack and RCE: Armed with the active session details, the attacker connects to ws://127.0.0.1:3484/api/terminal/io and injects raw bytes, including shell commands, followed by a carriage return (\r) directly into the AI agent’s pseudo-terminal (PTY). The AI agent processes these injected characters as legitimate user input and executes the embedded command, achieving full RCE.
Stage 4 – Denial of Service: The control endpoint at ws://127.0.0.1:3484/api/terminal/control accepts unauthenticated stop messages, allowing an attacker to terminate any active agent task at will, silently.

The exploit has been demonstrated in a proof-of-concept hosted by the researcher at cline.sagilayani.com, confirming the full attack chain, including native OS dialog spawning as RCE proof across macOS, Linux, and Windows. Tested browsers include Firefox, Chrome, and Arc.

The vulnerability stems from two CWEs: CWE-306 (Missing Authentication for Critical Function) and CWE-1385 (Missing Origin Validation in WebSockets).

All three endpoints /api/runtime/ws, /api/terminal/io, and /api/terminal/control process incoming connections and messages without checking who is connecting or whether the request originates from the legitimate kanban UI.

The server’s upgrade handler explicitly comments on its own lack of validation: connections pass straight to runtimeStateHub.handleUpgrade() after a basic path check.

The terminal I/O handler forwards raw attacker-controlled bytes directly to terminalManager.writeInput(). The control handler executes stopTaskSession() on receipt of any stop-typed message, no token, no session check, no authorization at any layer.

Any developer running Cline v2.13.0 or earlier who visits a malicious or compromised website while Kanban is active is at risk. The attack requires no special privileges, no installed software on the attacker’s side, and no user interaction beyond normal development workflow. The attack surface encompasses all operating systems on which Cline runs.

Mitigation

The researcher outlined three concrete fixes developers and maintainers should prioritize:

Validate the Origin header on all WebSocket upgrade requests, rejecting connections from any origin other than 127.0.0.1:3484
Require a startup-generated session token as a query parameter on all WebSocket connections, preventing external origins from guessing or obtaining it
Authenticate all terminal WebSocket connections to verify the connecting client is the legitimate kanban UI

Until an official patch is released, the safest mitigation is to avoid running cline --kanban while browsing untrusted or unknown websites, or to temporarily turn off kanban mode entirely during active browsing sessions.

FAQ

Q1: Does this vulnerability affect developers who don’t use the --kanban flag?

Yes, Kanban starts by default with the standard cline command, so most Cline users are exposed without explicitly opting for it.

Q2: Can an attacker exploit this without the developer visiting a malicious site?

No, the attack requires the victim to visit an attacker-controlled webpage while Kanban is running locally, making social engineering the primary delivery vector.

Q3: Is there a CVE assigned, and what is the severity score?

Yes, this vulnerability is tracked as CVE-2026-44211 with a critical CVSS v3.1 score of 9.3 out of 10.

Q4: Has a patch been released for this vulnerability?

No, as of the disclosure date, there is no patched version of the kanban package, and all versions below v2.13.0 remain fully vulnerable.

Site: https://thecybrdef.com

For more insights and updates, follow us on Google News, Twitter, and LinkedIn.