CVE-2026-44211
Cross-Origin WebSocket Hijack in Cline Kanban Server
Publication date: 2026-06-01
Last updated on: 2026-06-01
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| cline | cline | to 2.13.0 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-1385 | The product uses a WebSocket, but it does not properly verify that the source of data or communication is valid. |
| CWE-306 | The product does not perform any authentication for functionality that requires a provable user identity or consumes a significant amount of resources. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2026-44211 is a critical vulnerability in the kanban npm package used by the Cline CLI, which allows a cross-origin WebSocket hijack attack. The kanban server exposes three WebSocket endpoints on 127.0.0.1:3484 without proper Origin header validation or authentication. This flaw enables any website a developer visits to silently connect and interact with the server.
- Attackers can leak sensitive real-time data such as workspace filesystem paths, task titles and descriptions, git branch information, and AI agent chat messages.
- Attackers can hijack running AI agent terminals by injecting arbitrary prompts, potentially leading to remote code execution (RCE).
- Attackers can terminate active agent tasks, causing denial of service (DoS).
The root cause is missing Origin header validation during WebSocket upgrades and lack of authentication on all three exposed endpoints, allowing attackers to connect and send commands without verification.
How can this vulnerability impact me? :
This vulnerability can have severe impacts including:
- Leakage of sensitive and confidential data such as filesystem paths, task details, git branch information, and AI agent communications.
- Remote code execution by attackers injecting commands into AI agent terminals, potentially compromising the entire system.
- Denial of service by terminating active AI agent tasks, disrupting workflows and productivity.
Because the attack can be performed remotely over the network without privileges and with low complexity, it poses a critical risk to affected environments running Cline or the kanban package on macOS, Linux, and Windows.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability can be detected by checking for the presence of the kanban server WebSocket endpoints running on localhost (127.0.0.1) at port 3484, which do not validate the Origin header or require authentication.
You can use network scanning or local port checking commands to identify if the vulnerable service is running.
- On Linux or macOS, use: netstat -an | grep 3484
- Or: lsof -i :3484
- On Windows, use: netstat -an | findstr 3484
Additionally, you can attempt to connect to the WebSocket endpoints on 127.0.0.1:3484 using WebSocket client tools or scripts to see if the server responds without Origin header validation or authentication.
What immediate steps should I take to mitigate this vulnerability?
Immediate mitigation steps include restricting access to the localhost WebSocket port 3484 to trusted processes only and avoiding visiting untrusted websites while the vulnerable kanban server is running.
Since no patches are available at the time of disclosure, recommended actions are:
- Stop or disable the kanban server or the Cline CLI if it is not essential.
- Use firewall rules or local network policies to block external or untrusted local processes from connecting to 127.0.0.1:3484.
- Avoid browsing untrusted websites while the vulnerable service is running to prevent cross-origin WebSocket hijacking.
Long term, apply patches or updates once they become available that implement Origin header validation and authentication on the WebSocket endpoints.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
The vulnerability allows attackers to leak sensitive real-time data such as workspace filesystem paths, task titles and descriptions, git branch information, and AI agent chat messages. This exposure of sensitive information could lead to non-compliance with data protection regulations like GDPR and HIPAA, which require safeguarding personal and sensitive data against unauthorized access.
Additionally, the ability to hijack AI agent terminals and execute arbitrary commands could compromise system integrity and availability, further impacting compliance with standards that mandate secure and reliable system operations.
Since the vulnerability involves unauthorized data access and potential remote code execution without proper authentication or validation, affected organizations may face increased risk of data breaches and service disruptions, which are critical concerns under regulations such as GDPR and HIPAA.