9.6 Severity: Critical “Cline” AI Agent Flaw Allows Stealthy RCE via Your Browser

In the rapidly evolving world of AI-assisted development, tools like Cline have become indispensable, living in editors and terminals to help engineers build features through natural conversation. However, a critical security vulnerability has turned this productivity booster into a potential backdoor.

Researchers have disclosed CVE-2026-44211, a Cross-Origin WebSocket Hijacking vulnerability carrying a CVSS score of 9.6. The flaw allows any malicious website a developer visits to silently seize control of the Cline AI agent, leading to real-time data theft and remote code execution (RCE).

The issue lies within the kanban npm package used by the Cline CLI. When active, the package starts a WebSocket server on 127.0.0.1:3484.

Crucially, this server was found to have no Origin header validation. Because WebSocket connections are not restricted by the Same-Origin Policy (SOP) that governs typical web traffic, a browser will freely send these requests to localhost regardless of which website the user is currently viewing.

As the technical summary explains, “The kanban server accepts all connections without checking the Origin header.”

An attacker only needs a developer to visit a malicious webpage while the Cline kanban server is running. No further user interaction is required to trigger a total compromise.

Once a connection is established, the attacker gains three devastating capabilities:

• Information Disclosure: The attacker can leak sensitive data in real-time, including workspace filesystem paths, task titles, git branch information, and even the live stream of AI agent chat messages.
• Remote Code Execution: By injecting arbitrary prompts into the agent’s input via the hijacked terminal, the attacker can force the AI to run malicious commands on the developer’s machine.
• Denial of Service: The attacker can remotely kill any running agent tasks by terminating active sessions through the control WebSocket.

The discovery of CVE-2026-44211 highlights a growing risk in the AI developer-tool ecosystem, where local servers often lack the rigorous authentication found in cloud environments.

To protect against this hijack, the report recommends two primary fixes for the maintainers:

• Origin Validation: The server must validate the Origin header on all WebSocket upgrade requests and reject any connections that do not originate from the kanban UI itself.
• Session Tokens: The server should generate a random secret at startup and require it as a query parameter for all connections, ensuring external websites cannot guess the required credentials.