Critical Cline AI agent flaw lets websites hijack local developer sessions
7 min. read 
Published on
A critical vulnerability in Cline’s Kanban server can let a malicious website connect to a developer’s local AI agent session, steal workspace data, inject terminal input, and disrupt active tasks.
The flaw is tracked as CVE-2026-44211 and affects the Kanban component used with the Cline CLI. Public vulnerability databases list it as a critical issue with a CVSS score of 9.6.
Access content across the globe at the highest speed rate.
70% of our readers choose Private Internet Access
70% of our readers choose ExpressVPN
Browse the web from multiple devices with industry-standard security protocols.
Faster dedicated servers for specific actions (currently at summer discounts)
The risk is serious because Cline and similar AI coding agents often work close to source code, terminals, Git repositories, project paths, task history, and developer credentials. If the local agent service trusts the wrong browser connection, a normal web page can become a path into the developer’s workspace.
What went wrong in Cline Kanban
The issue comes from the local WebSocket service used by Cline Kanban. The service listens on 127.0.0.1:3484 and accepts WebSocket connections without proper origin validation or authentication.
That design creates a cross-origin WebSocket hijacking risk. If a developer has the Kanban server running and visits a malicious website, JavaScript on that page can attempt to connect to the local WebSocket endpoints.
Once connected, an attacker can access runtime data, interact with exposed terminal channels, or terminate running tasks. The developer may not see any obvious warning because the activity happens through the browser and the local background service.
At a glance
| Item | Details |
|---|---|
| Vulnerability | CVE-2026-44211 |
| Affected component | Cline Kanban server used by the Cline CLI |
| Weakness | Missing origin validation and missing authentication on WebSocket endpoints |
| Local service | 127.0.0.1:3484 |
| Severity | Critical |
| CVSS score | 9.6 in GitHub, GitLab, and Tenable listings |
| Main impact | Workspace data exposure, terminal hijacking, remote code execution through agent input, and task termination |
Why WebSocket origin checks matter
Web browsers apply strict rules to many cross-origin HTTP requests, but WebSocket behavior creates a different risk. A web page can attempt to open a WebSocket connection to localhost, and the server must decide whether to trust it.
In this case, the local Kanban service did not properly confirm that the request came from the legitimate Kanban interface. That missing check allowed an unrelated website to reach endpoints meant only for local tool use.
This type of flaw matters more in AI coding tools than in many standard local apps. An AI coding agent may already have permission to read project files, operate inside a terminal, and act on developer instructions.
What attackers can access
The runtime WebSocket stream can expose live workspace information. That can include file system paths, task titles, task descriptions, Git branch information, and AI agent chat messages.
For developers working on private code or internal company projects, this can reveal project structure, active work items, repository details, and sensitive prompts sent to the agent.
The vulnerability also exposes a terminal input channel. If an AI agent task is active, attacker-controlled JavaScript can inject prompts or terminal input into the running session. That can turn a browser visit into code execution through the trusted local agent workflow.
Attack requirements
| Requirement | Why it matters |
|---|---|
| Cline Kanban must be running | The attack needs the local WebSocket server to be active. |
| The victim must visit a malicious website | The web page supplies JavaScript that connects to the local service. |
| The exposed endpoint must accept the connection | The missing origin and authentication checks allow the connection path. |
| An agent task may need to be active for terminal hijacking | Injected input becomes more dangerous when a running task can process it. |
Why this can lead to remote code execution
The flaw does not work like a traditional malware download. Instead, it abuses the trust relationship between the browser, the local Kanban server, and the AI agent terminal.
If the attacker can write input into the agent’s terminal channel, they can push commands through a tool the developer already trusted. The agent may then process the injected instruction as if it came from the user.
That makes the vulnerability especially dangerous for developers who leave AI coding agents running while browsing the web. The browser becomes a bridge between an external page and a local tool with deep workspace access.
Patch status and mitigation
Cline’s Kanban changelog says version 0.1.66 added origin and host validation for the Kanban WebSocket service. However, the GitHub advisory for the npm `cline` package still lists no patched version, so teams should verify their exact installed component and not rely only on package names.
Developers should update Cline and Kanban components to the newest available release, then confirm that the local service no longer accepts unauthorized WebSocket connections from unrelated origins.
Organizations should also inventory AI coding tools that start local web servers. Cline is not the only class of tool that can expose local agent capabilities through browser-accessible ports.
- Update Cline and Kanban components to the latest available versions.
- Check whether Kanban 0.1.66 or newer is present in the environment.
- Stop the Kanban server when it is not needed.
- Avoid browsing untrusted sites while local AI agent services are running.
- Use host firewall rules or endpoint controls to restrict local service access where possible.
- Monitor for unexpected connections to 127.0.0.1:3484.
- Review AI tool configurations that expose terminals, workspaces, or WebSocket endpoints.
What security teams should review
Security teams should look beyond the single CVE and audit local AI development tools across their environment. Any tool that exposes a local listener should validate the origin, require an unpredictable session token, and authenticate sensitive endpoints.
Terminal channels need extra scrutiny. A local interface that can write to a terminal should not accept input from any browser page that can reach localhost.
Teams should also review logs for unexpected agent activity, stopped tasks, unexplained shell commands, and unusual browser-to-localhost traffic. These signals can help identify attempted exploitation or risky exposure.
AI coding tools need tighter local boundaries
CVE-2026-44211 shows how quickly a local developer convenience feature can become a security boundary problem. AI coding agents now sit close to source code, credentials, terminals, and project memory.
That level of access requires stronger controls than a normal local dashboard. Origin checks, session tokens, endpoint authentication, and clear service shutdown behavior should become baseline requirements for agent tools.
Developers should treat any always-on local AI interface as part of their attack surface. If a tool can control a terminal, read workspace state, or act on prompts, it needs the same security review as other privileged development software.
FAQ
CVE-2026-44211 is a critical cross-origin WebSocket hijacking vulnerability in the Cline Kanban server. It can let a malicious website connect to the local service and interact with exposed AI agent endpoints.
If Cline Kanban is running, JavaScript on a malicious website can try to open a WebSocket connection to the local server on 127.0.0.1:3484. Without proper origin validation and authentication, the server may accept that connection.
Yes. Public advisories say the flaw can allow terminal hijacking by injecting prompts or input into a running AI agent session, which can lead to remote code execution.
Attackers may access workspace paths, task titles, task descriptions, Git branch details, workspace metadata, and AI agent chat messages exposed through the runtime WebSocket stream.
Developers should update Cline and Kanban components, stop the Kanban server when it is not needed, avoid untrusted websites while local agent services are running, and verify that WebSocket endpoints require origin checks and authentication.
Read our disclosure page to find out how can you help VPNCentral sustain the editorial team Read more
Improve this guide
User forum
0 messages