Critical “Cline” AI Agent Vulnerability Enables RCE Attacks

HomeAI Critical “Cline” AI Agent Vulnerability Enables RCE Attacks By Abinaya May 12, 2026 A critical security flaw has been identified in the Cline Kanban server that allows threat actors to exfiltrate workspace data and execute arbitrary code silently and remotely. Security researcher TheRealSpencer recently published details of this cross-origin WebSocket hijacking vulnerability affecting the widely adopted open-source AI coding assistant. The vulnerability is tracked as CVE-2026-44211 and carries a near-maximum severity score of 9.7. Researchers at Oasis Security noted that the issue stems from missing origin validation on the local server exposed by the package. Developers using the affected software are at high risk simply by visiting a malicious webpage. At the same time, the server runs in the background. Cline AI Agent Vulnerability The core issue resides in the kanban npm package used by the Cline command-line interface. When launched, the application starts a local WebSocket server on port 3484 without implementing authentication or checking the origin header of incoming requests. This architectural oversight means that any external website a developer visits can establish a connection to the local server without any user intervention. Security analysts observed that web browsers do not restrict cross-origin WebSocket connections to localhost, allowing malicious JavaScript to interact freely with the exposed endpoints. Once connected to the runtime stream, attackers can instantly leak sensitive information, including filesystem paths, git branch details, task titles, and live AI agent chat messages. Beyond information disclosure, the vulnerability allows remote attackers to seize control of running AI agent terminals. By connecting to the terminal input-output WebSocket, threat actors can inject arbitrary prompts directly into the agent’s active workspace. The system processes these injected commands just like native user input, turning basic text injection into full remote code execution when followed by a carriage return. Security experts have demonstrated that this can be used to execute malicious shell commands on the victim’s operating system without any direct user interaction. Additionally, the control server endpoint can be manipulated to terminate active sessions, creating a denial-of-service condition. The exploit is effective across any platform where Node.js and Cline are deployed, including macOS, Linux, and Windows environments. There are currently no patched versions available for this critical vulnerability, leaving developers exposed when using older versions of the Cline CLI. Mitigation requires significant structural changes to the application’s local web server implementation. Following the publication by TheRealSpencer on GitHub, security professionals advised developers to validate origin headers to prevent unauthorized WebSocket upgrades. Furthermore, generating and requiring a randomized session token at server startup would effectively block external origins from guessing the necessary connection parameters. Until official patches are released, developers should exercise extreme caution when navigating the internet while running the Cline Kanban application. Follow us on Google News, LinkedIn, and X to Get More Instant Updates. Tags cyber security cyber security news Copy URL Linkedin Twitter ReddIt Telegram Abinayahttps://cybersecuritynews.com/ Abi is a Security Editor and fellow reporter with Cyber Security News. She is covering various cyber security incidents happening in the Cyber Space. Trending News New Ivanti EPMM 0-Day Vulnerability Actively Exploited in Attacks Critical Palo Alto Firewalls Vulnerability Exploited in the Wild to Gain Root Access 10 Best Full Disk Encryption Tools in 2026 MistralAI PyPI Package Compromised to Inject Malicious Code – Microsoft Warns Multiple Critical Vulnerabilities Patched in Next.js and React Server Components Latest News Cyber Security News MistralAI PyPI Package Compromised to Inject Malicious Code – Microsoft Warns Chrome Claude’s Chrome Extension Vulnerability Allows Malicious Extensions to Steal Gmail and Drive Data Cyber Security News Critical PHP SOAP Extension Vulnerabilities Enables Remote Code Execution Attacks Cyber Security News Magecart Hackers Abuse Google Tag Manager to Inject Credit Card Skimmers Cyber Security News TeamPCP Compromised Checkmarx Jenkins AST Plugin Following KICS Supply Chain Attack