Technical description
Cline Kanban server version 0.1.59 exposes three unauthenticated WebSocket endpoints on port 3484 (runtime state, terminal I/O, session control) with no origin validation. Any website a developer visits can silently connect, exfiltrate workspace data (filesystem paths, git history, AI chat messages), inject commands into the agent's terminal, or kill active sessions. Browsers do not enforce cross-origin restrictions on WebSocket connections to localhost.
Attack vector
Attacker hosts a malicious webpage. When a developer with Cline running visits the page, JavaScript connects to ws://127.0.0.1:3484 WebSocket endpoints. The runtime endpoint returns a full environment snapshot. The terminal endpoint accepts raw input written directly to the pseudo-terminal buffer. With Cline's default 'bypass permissions' flag enabled, injected commands execute without authorization. Attack requires no phishing, malware, or social engineering—only a webpage visit.
Affected systems
Cline (widely-adopted open-source AI coding assistant) with Kanban feature enabled, version 0.1.59 of the npm package. The issue was disclosed May 7, 2026 by Oasis Security with a CVSS score of 9.7.
Mitigation
Update Cline to version 0.1.66 immediately. Disable the 'bypass permissions' flag in Cline settings to require per-action authorization for shell commands and filesystem modifications. Audit for similar localhost-as-trust-boundary errors in other AI coding tools. Oasis Security notes this follows the same pattern as their prior OpenClaw research, suggesting the flaw is systemic across AI agent platforms.