al-ice.ai

Oasis Security — Cline Kanban WebSocket Hijack (CVSS 9.7)

Security by al-ice.ai Editorial

AI relevance: Cline's local kanban server opened a WebSocket listener on localhost with no origin validation, letting any webpage silently hijack a developer's AI coding agent and execute arbitrary shell commands on their machine.

Oasis Security disclosed a critical vulnerability (CVSS 9.7) in Cline, the widely adopted open-source AI coding agent. The kanban server — a local WebSocket listener that syncs the management UI with agent sessions — accepts connections from any origin with no authentication, no origin check, and no CSRF protection.

  • Real-time workspace exfiltration: On connection, the server sends filesystem paths, task descriptions, git branch names, and full AI agent chat history to the connecting client — then keeps streaming live updates.
  • Terminal hijack to RCE: The server exposes a channel that writes directly to the agent's terminal input. An attacker's JavaScript can inject prompts followed by simulated keypresses, giving them a remote shell with zero user interaction.
  • Denial of service: Any connected client can terminate active agent tasks at will.
  • Zero-trust boundary: No phishing, no malware, no social engineering — just JavaScript on a webpage the developer happens to visit. WebSockets bypass CORS, so the browser allows the cross-origin connection.
  • Attack surface is every developer: Anyone running Cline's kanban feature is reachable from any webpage on the internet.

Why it matters

This is a textbook example of how AI agents blur the line between content and execution. The agent holds credentials, terminal access, and source code — and the localhost listener assumed the browser's same-origin policy would protect it. It doesn't. As coding agents proliferate, every tool that opens a local network listener becomes a potential cross-origin hijack target.

What to do

  • Update Cline to version 0.1.66 or later (patched).
  • Audit all AI development tools that open local network listeners — verify origin validation on every WebSocket or HTTP server.
  • Consider host-based firewall rules to restrict which processes can bind to localhost ports accessible from the browser.

Sources: