Cline Kanban Flaw Lets Websites Hijack AI Coding Agents

The open‑source AI coding assistant Cline’s Kanban module harbors a critical vulnerability that earned a CVSS 9.7 rating. The flaw resides in three unauthenticated WebSocket endpoints—runtime, terminal, and session control—exposed by the local server on port 3484. Because the endpoints do not validate the Origin header or require a session token, any malicious web page visited while Cline is running can connect to localhost, harvest the developer’s workspace snapshot, and inject commands directly into the agent’s pseudo‑terminal. The attack requires no phishing or malware, only a browser tab.

This issue highlights a systemic weakness in the assumption that localhost listeners are inherently trusted. Similar patterns have emerged in other AI coding agents, where developers rely on local HTTP or WebSocket services to bridge the IDE and the AI model. Browsers treat WebSocket connections to 127.0.0.1 as cross‑origin‑agnostic, allowing malicious scripts to bypass traditional same‑origin protections. As AI‑driven development tools proliferate, the attack surface expands, making it essential for vendors to enforce strict origin checks and authentication on every exposed endpoint.

Cline responded quickly, releasing version 0.1.66 that adds origin validation and session token requirements, and recommending users disable the default “bypass permissions” flag that permits unrestricted shell execution. Security teams should audit all AI assistants that open local listeners, apply patches promptly, and consider network segmentation or firewall rules that block inbound connections to localhost from browsers. The broader lesson for enterprises is to treat any local service as potentially exposed and to incorporate threat modeling for AI‑enabled development workflows.