A serious security flaw has been uncovered in the Cline Kanban server that puts developers’ workspace data and systems at risk. This vulnerability, which enables remote code execution (RCE) attacks, was recently disclosed by security researcher TheRealSpencer and affects the popular open-source AI coding assistant used by many developers worldwide.
What Is the Cline AI Agent Vulnerability?
The vulnerability, tracked as CVE-2026-44211 with a near-critical severity score of 9.7, stems from a flaw in the kanban npm package integral to the Cline command-line interface. When the Cline application launches, it starts a local WebSocket server on port 3484. However, this server lacks essential security measures: it neither authenticates connections nor verifies the origin header of incoming WebSocket requests.
This architectural oversight means that any malicious website a developer visits can establish a WebSocket connection to the local server without any user interaction or consent.
How Does the Attack Work?
Modern web browsers do not block cross-origin WebSocket connections to localhost. This allows attackers to use malicious JavaScript on a compromised or malicious webpage to interact with the Cline WebSocket server running on the developer’s machine.
Once connected, attackers can exfiltrate sensitive information such as filesystem paths, active Git branch details, task titles, and even live chat messages from the AI coding assistant. But the threat goes beyond data theft. By connecting to the terminal input-output WebSocket, attackers can inject arbitrary commands directly into the AI agent’s active workspace.
Because the system treats these injected commands as legitimate user input, executing them (e.g., pressing Enter) results in full remote code execution on the victim’s machine. This can include running malicious shell commands silently, without any direct user action.
Impact and Scope
This vulnerability affects any environment where Node.js and the Cline CLI are deployed, including macOS, Linux, and Windows systems. In addition to remote code execution, attackers can forcibly terminate active sessions, causing denial-of-service (DoS) conditions.
Currently, no patched versions address this critical flaw, leaving developers exposed when running older Cline versions.
How Can Developers Protect Themselves?
Fixing this vulnerability requires significant changes to how the local WebSocket server is implemented. Key recommendations from security experts include:
- Implementing strict validation of the origin header for incoming WebSocket connections to block unauthorized sources.
- Generating and requiring randomized session tokens at server startup to prevent attackers from guessing connection parameters.
Until official patches are released, developers should be extremely cautious when browsing the web while running the Cline Kanban application, especially avoiding suspicious or untrusted sites.
Conclusion
The Cline AI agent vulnerability highlights the dangers of exposing local development servers without proper security controls. As AI coding assistants become more integrated into developers’ workflows, safeguarding these tools is paramount. Stay alert, follow best security practices, and watch for updates from the Cline development team to protect your systems and data from this serious threat.
