CyberHappenings logo
Home Browse Watchlists Experimental About

Track cybersecurity events as they unfold. Sourced timelines. Filter, sort, and browse. Fast, privacy‑respecting. No invasive ads, no tracking.

WebSocket origin validation bypass in Cline Kanban enables AI agent hijacking and data exfiltration

First reported
Last updated
1 unique sources, 1 articles

Summary

Hide ▲

A critical security flaw in Cline Kanban's WebSocket endpoints allows any website a user visits to hijack AI coding agents, exfiltrate workspace data, inject terminal commands, or terminate active sessions. The vulnerability (CVSS 9.7) affects Cline version 0.1.59 and earlier, leveraging missing origin validation and authentication on three unauthenticated WebSocket endpoints exposed on localhost port 3484. Exploitation requires no phishing, malware, or social engineering, as browsers permit cross-origin WebSocket connections to localhost, bypassing intended access controls. Impact includes full AI agent compromise, sensitive data theft, and arbitrary code execution with default "bypass permissions" enabled.

Timeline

  1. 07.05.2026 17:30 1 articles · 1h ago

    Cline Kanban WebSocket endpoints vulnerable to unauthenticated hijacking via origin validation bypass

    Three unauthenticated WebSocket endpoints in Cline Kanban v0.1.59 and earlier lack origin header validation and authentication, enabling attackers to connect from any webpage via localhost WebSocket behavior in browsers. Attackers can exfiltrate workspace context, inject terminal commands, or terminate agent sessions, with exploitation requiring no phishing or malware.

    Show sources
    Open in new tab

Information Snippets

  • Cline Kanban server exposes three unauthenticated WebSocket endpoints on localhost port 3484: a runtime state endpoint, a terminal I/O endpoint, and a session control endpoint.

    First reported: 07.05.2026 17:30
    1 source, 1 article
    Show sources

  • The runtime endpoint leaks the developer’s full workspace context, including filesystem paths, task data, Git history, and AI agent chat messages, during WebSocket handshake.

    First reported: 07.05.2026 17:30
    1 source, 1 article
    Show sources

  • The terminal endpoint provides raw bidirectional access to the AI agent’s pseudo-terminal, enabling command injection and execution without authentication or origin validation.

    First reported: 07.05.2026 17:30
    1 source, 1 article
    Show sources

  • The vulnerability arises from missing Origin header validation and lack of session tokens on WebSocket upgrade requests, despite binding to 127.0.0.1.

    First reported: 07.05.2026 17:30
    1 source, 1 article
    Show sources

  • Exploitation chain involves a malicious webpage connecting to the runtime endpoint to harvest context, then pushing commands to the terminal endpoint that the AI agent processes as user input.

    First reported: 07.05.2026 17:30
    1 source, 1 article
    Show sources

  • Cline’s default "bypass permissions" flag allows the AI agent to execute shell commands and modify files without per-action authorization, compounding the risk of command execution.

    First reported: 07.05.2026 17:30
    1 source, 1 article
    Show sources

  • Cline Kanban versions prior to 0.1.66 are affected; updating to 0.1.66 or later mitigates the issue.

    First reported: 07.05.2026 17:30
    1 source, 1 article
    Show sources