Cline Kanban WebSocket Hijack
You're a developer. Cline is running. You open a browser tab to read documentation. In the background, JavaScript on that page silently connects to Cline's localhost WebSocket server, reads your workspace, and injects a shell command into your AI agent's terminal, running with your full user privileges.
This is not a bug in one tool. It's a pattern.
Oasis Security researchers identified a critical vulnerability (CVSS 9.7) in Cline's kanban server. All three WebSocket endpoints lack Origin validation and authentication. Browsers don't enforce same-origin policy on WebSocket connections, so any website the developer visits can connect.
Chained together, three flaws produce a full compromise from any website the developer visits:
- Information disclosure through the runtime state stream
- Remote code execution through the terminal I/O endpoint
- Denial of service through the terminal control endpoint
What you can do today:
- Disable the "Enable bypass permissions flag" in Cline Settings
- Audit AI agent tools exposing localhost interfaces for Origin validation
- Treat localhost as routable from the browser, not as a trust boundary
Related Content
