CVE-2026-44211 (CVSS 9.6): Cline Autonomous Coding Agent — Cross-Origin WebSocket Hijack Enables Silent Workspace Exfiltration and Command Injection, No Patch Available

Cline (an autonomous coding agent with 100k+ GitHub stars, available as a VS Code extension, SDK, and CLI) contains a critical cross-origin WebSocket hijack vulnerability in its Kanban server component. Versions 2.13.0 and prior start a local WebSocket server with no Origin validation and no session token. Any malicious website visited in the developer's browser can cross the origin boundary, silently connect to the local Cline Kanban WebSocket, exfiltrate workspace files and repository contents, and inject arbitrary commands into the running AI agent. Oasis Security published the primary technical advisory (CVSS 9.7 per their scoring) and the CVE was assigned CVSS 9.6 on NVD. The vulnerability was fixed in the Cline Kanban component starting at v0.1.66; however, the main Cline package (up to 2.13.0) remains listed as vulnerable on NVD with no publicly available patch at time of publication.

A developer with Cline running visits a malicious webpage (e.g., via phishing, malicious ad, or compromised site). The webpage's JavaScript connects to the localhost WebSocket port used by Cline's Kanban server — no authentication or Origin check is performed. The attacker can read workspace data, list files, exfiltrate source code, and inject task instructions that cause Cline to execute shell commands under the developer's credentials.

Cline versions 2.13.0 and prior (VS Code extension, SDK, CLI). The exploit chain requires a developer to have Cline's Kanban server running (enabled via the Cline UI) while browsing the web.

1) Disable Cline's Kanban server feature in settings until a patched release is available. 2) Upgrade to Cline Kanban v0.1.66 or later if using the Kanban component separately. 3) Restrict developer workstations from browsing untrusted sites while AI coding agents are active. 4) Monitor outbound connections from developer machines for unexpected data transfers. 5) Watch for an official Cline package update (post 2.13.0) that addresses the NVD-listed vulnerability.