
A critical vulnerability in the Cline developer tool allows attackers to hijack local AI agent sessions on a developer's machine. The flaw, tracked as CVE-2026-44211, resides in the Kanban server component. It permits any website a developer visits to silently connect to the local server, steal sensitive data, and execute arbitrary code [1].
At a Glance
CVE-2026-44211
Identifier
Critical
Severity
Network
Attack Vector
Cline
Affected Product
The Attack Chain: From Web Page to RCE
The attack begins when a developer, with the Cline Kanban server running, visits a malicious or compromised website. The site's JavaScript opens a WebSocket connection to the local server at `127.0.0.1:3484`. Because browsers do not enforce Cross-Origin Resource Sharing (CORS) policies on WebSocket connections, the server is immediately accessible.
Once connected, the server leaks a snapshot of the developer's entire workspace. This includes filesystem paths, project data, task descriptions, and git branch information. The WebSocket connection remains open, streaming real-time updates as the developer works, including messages exchanged with AI agents [1].
The attacker's script monitors this data stream for an active AI agent session. When a session is detected, the script opens a second WebSocket connection to the terminal I/O endpoint. It then injects commands directly into the agent's input, which the agent processes as if typed by the user. This allows the attacker to run shell commands on the victim's machine, achieving remote code execution.
OPERATOR ACTION
Update the Cline and kanban packages immediately to a patched version.
Root Cause: Missing Origin Validation
The vulnerability's root cause is the Kanban server's failure to validate the `Origin` header on incoming WebSocket connections. The server accepts any connection request without checking where it came from. This allows a script on `https://example.com` to control a server on `localhost`.
Three distinct WebSocket endpoints are exposed without authentication. The `/api/runtime/ws` endpoint streams workspace state. The `/api/terminal/io` endpoint provides raw read-write access to an agent's terminal. The `/api/terminal/control` endpoint allows an attacker to terminate any running agent task, enabling a denial-of-service attack [2].
Agentic Tools as a New Attack Surface
This incident highlights a growing threat category targeting local development tools, especially those integrated with AI agents. These tools often run with high privileges and broad access to local files. Developers trust them for convenience, but they can become powerful vectors for compromise.
Traditional security models are not always prepared for this threat. Network firewalls do not inspect localhost traffic. Browser sandboxes, while effective for web content, are bypassed when a local application willingly accepts cross-origin connections. The trust boundary between the browser and the local machine becomes blurred.
Detection and Mitigation
The vendor recommends several fixes, starting with proper `Origin` header validation on all WebSocket upgrade requests. This ensures only connections from the legitimate Kanban UI are accepted. The advisory also suggests implementing a session token, a secret generated at startup and required for all connections, to prevent cross-site connection attempts [2].
Defenders should audit their development environments for locally-running servers, particularly those used by AI and agentic tooling. Monitor for unexpected connections to localhost from browsers. Teams building such tools must treat all input from a web context as untrusted, even when the server itself is local.
References
- GitHub Security Advisory (GHSA-5c57-rqjx-35g2). https://github.com/advisories/GHSA-5c57-rqjx-35g2 (accessed 2026-05-09).
- Vendor security advisory (github.com). https://github.com/cline/cline/security/advisories/GHSA-5c57-rqjx-35g2 (accessed 2026-05-09).
About Helixar Research Labs
Helixar is an AI-native software R&D lab focused on agentic governance, compliance, and security for enterprises and enterprise agents.
Helixar Research Labs publishes briefings on the agentic and AI threat surface, including autonomous agents, LLM tooling, MCP servers, model supply chains, and prompt injection. The goal is to surface the gap between traditional defenses and agentic attacks before it shows up in your incidents.
If you run agents in production, this is for you. Learn more at helixar.ai.