Critical Vulnerability in Cline AI Coding Agent Patched After Remote Exploitation Risk Discovered
A severe security flaw in Cline, a popular open-source AI coding agent, has been patched following the discovery of a CVSS 9.7 vulnerability that could allow attackers to hijack developers' machines, steal sensitive data, and execute arbitrary commands all without user interaction.
The vulnerability, identified by Oasis Security, resided in Cline’s local Kanban server, which facilitates real-time communication between the AI agent and its management interface. The server exposed a WebSocket listener on developers' machines but lacked critical security controls, including origin validation, authentication tokens, and CORS protections. This oversight created a browser security blind spot, enabling malicious websites to bypass standard defenses and connect to the server undetected.
Once exploited, attackers gained three high-impact capabilities:
- Real-time intelligence gathering – Malicious JavaScript could extract a full snapshot of the developer’s workspace, including filesystem paths, Git branches, task details, and AI agent chat history.
- Terminal hijacking & remote code execution – The server’s exposed terminal input channel allowed attackers to inject commands, which the AI agent executed as legitimate instructions, effectively granting unauthorized shell access.
- Denial-of-service attacks – Threat actors could terminate active AI tasks, disrupting development workflows.
The attack required no phishing, malware, or social engineering only a developer visiting a compromised webpage while the vulnerable Kanban server was running. The flaw was responsibly disclosed and patched in Cline version 0.1.66.
Given the growing adoption of AI agents with deep system access, security teams are advised to audit similar local listener vulnerabilities and enforce host-based firewalls to restrict unauthorized port binding. The incident underscores the need for specialized access controls to monitor AI agent behavior and prevent command injection.
Source: https://gbhackers.com/cline-kanban-websocket-vulnerability/
Cline TPRM report: https://www.rankiteo.com/company/clinebot
"id": "cli1778243371",
"linkid": "clinebot",
"type": "Vulnerability",
"date": "5/2026",
"severity": "100",
"impact": "5",
"explanation": "Attack threatening the organization's existence"{'affected_entities': [{'customers_affected': 'Developers using Cline AI '
'coding agent',
'industry': 'Software Development',
'name': 'Cline',
'type': 'Open-source AI coding agent'}],
'attack_vector': 'WebSocket listener exposed via local Kanban server',
'customer_advisories': 'Developers advised to update to Cline version 0.1.66',
'data_breach': {'data_exfiltration': 'Yes (real-time intelligence gathering)',
'sensitivity_of_data': 'High (developer workspace data, '
'terminal commands)',
'type_of_data_compromised': ['Filesystem paths',
'Git branches',
'Task details',
'AI agent chat history']},
'description': 'A severe security flaw in Cline, a popular open-source AI '
'coding agent, has been patched following the discovery of a '
'CVSS 9.7 vulnerability that could allow attackers to hijack '
"developers' machines, steal sensitive data, and execute "
'arbitrary commands all without user interaction. The '
'vulnerability resided in Cline’s local Kanban server, which '
'exposed a WebSocket listener without origin validation, '
'authentication tokens, or CORS protections, enabling '
'malicious websites to bypass standard defenses. Exploitation '
'granted attackers real-time intelligence gathering, terminal '
'hijacking, remote code execution, and denial-of-service '
'capabilities.',
'impact': {'data_compromised': 'Filesystem paths, Git branches, task details, '
'AI agent chat history, terminal commands',
'downtime': 'Disruption of development workflows due to '
'denial-of-service attacks',
'operational_impact': 'Terminal hijacking, remote code execution, '
'unauthorized shell access, task termination',
'systems_affected': "Developers' machines running Cline AI coding "
'agent'},
'investigation_status': 'Patched',
'lessons_learned': 'Need for specialized access controls to monitor AI agent '
'behavior and prevent command injection. Importance of '
'auditing local listener vulnerabilities and enforcing '
'host-based firewalls to restrict unauthorized port '
'binding.',
'post_incident_analysis': {'corrective_actions': 'Patch released in Cline '
'version 0.1.66 with added '
'security controls',
'root_causes': 'Lack of origin validation, '
'authentication tokens, and CORS '
'protections in WebSocket listener'},
'recommendations': ['Audit similar local listener vulnerabilities in AI '
'agents',
'Enforce host-based firewalls to restrict unauthorized '
'port binding',
'Implement specialized access controls for AI agent '
'behavior monitoring',
'Prevent command injection in AI coding agents'],
'references': [{'source': 'Oasis Security'}],
'response': {'communication_strategy': 'Responsible disclosure',
'containment_measures': 'Patch released in Cline version 0.1.66',
'remediation_measures': 'Fixed vulnerability in local Kanban '
'server (added origin validation, '
'authentication tokens, and CORS '
'protections)',
'third_party_assistance': 'Oasis Security (vulnerability '
'discovery)'},
'title': 'Critical Vulnerability in Cline AI Coding Agent Patched After '
'Remote Exploitation Risk Discovered',
'type': 'Vulnerability Exploitation',
'vulnerability_exploited': 'CVE (CVSS 9.7) - Lack of origin validation, '
'authentication tokens, and CORS protections in '
'WebSocket listener'}