A critical vulnerability in the Cline Kanban server has been disclosed that allows any website a developer visits to silently exfiltrate workspace data, inject commands into the AI agent’s terminal or kill active agent sessions.
The flaw, given a CVSS score of 9.7, was identified in a security assessment by researchers at Oasis Security, who published a technical analysis of the issue on May 7. It affects version 0.1.59 of the Kanban npm package and stems from missing origin validation and authentication on three WebSocket endpoints exposed by the local server.
Cline is one of the most widely adopted open-source AI coding assistants, and its Kanban feature provides a web-based project management interface backed by a local HTTP and WebSocket server on port 3484.
Three Unauthenticated Endpoints, One Attack Chain
The Kanban server exposes three WebSocket endpoints that handle runtime state, terminal I/O and session control.
On connection, the runtime endpoint sends a full snapshot of the developer’s environment, including filesystem paths, task data, git history and AI agent chat messages. The terminal endpoint provides raw bidirectional access to the agent’s pseudo-terminal, with messages written directly to the input buffer.
Oasis Security said none of the endpoints validated the Origin header on the upgrade request or required any session token. The implicit assumption was that binding to 127.0.0.1 confined access to the local machine, but browsers do not enforce cross-origin restrictions on WebSocket connections to localhost in the way they do for standard HTTP requests.
Read more on AI agent WebSocket flaws: ClawJacked Bug Enables Covert AI Agent Hijacking
Bypass Permissions Compounds the Risk
The exploit chain progresses from passive reconnaissance to remote code execution entirely from JavaScript on any webpage the developer visits while Cline is running. A malicious page can connect to the runtime endpoint, harvest workspace context, identify an active task ID, then push commands to the terminal endpoint that the agent processes as if typed by the user.
The risk is amplified by Cline’s default “bypass permissions” flag, which lets the AI agent execute shell commands and modify the filesystem without per-action authorization. Oasis recommended disabling it in the application settings.
Trey Ford, chief strategy and trust officer at Bugcrowd, said the broader issue extended well beyond the specific package.
“This vulnerability required no phishing, no malware, and no social engineering,” he said. “Patching Cline to v0.1.66 closes this specific exposure. Auditing every AI tool that opens a local listener is the actual job to be done.”
Oasis Security reported the findings to Cline before the publication of the research. Updating Cline to version 0.1.66 closes this specific exposure.
The issue follows the same pattern that Oasis previously documented in its OpenClaw research, suggesting the localhost-as-trust-boundary error is systemic across AI coding agent platforms.
