CVE-2026-59723
Received Received - Intake

Cline Hub Dashboard WebSocket Origin Validation Bypass

Vulnerability report for CVE-2026-59723, including description, CVSS score, EPSS score, affected products, exploitability, helpful resources, and attack-flow context.

Publication date: 2026-07-08

Last updated on: 2026-07-08

Assigner: GitHub, Inc.

Description

Cline is an autonomous coding agent as an SDK, IDE extension, or CLI assistant. Prior to 3.0.30, the Cline Hub dashboard server launched by the cline dashboard command accepts WebSocket connections on the /browser endpoint without validating the Origin header, and when ROOM_SECRET is unset for local 127.0.0.1 binds, isAuthorizedBrowserRequest() allows attacker-controlled websites to send desktopCommand frames that read workspace state, mutate MCP and provider settings, and trigger command execution when a provider or model is configured. This issue is fixed in version 3.0.30.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2026-07-08
Last Modified
2026-07-08
Generated
2026-07-09
AI Q&A
2026-07-09
EPSS Evaluated
N/A
NVD

Affected Vendors & Products

Showing 1 associated CPE
Vendor Product Version / Range
cline cline to 3.0.30 (inc)

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-346 The product does not properly verify that the source of data or communication is valid.

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Executive Summary

This vulnerability affects the Cline Hub dashboard server prior to version 3.0.30. The server accepts WebSocket connections on the /browser endpoint without validating the Origin header. When the ROOM_SECRET is unset for local 127.0.0.1 binds, the isAuthorizedBrowserRequest() function allows attacker-controlled websites to send desktopCommand frames. These frames can read the workspace state, change MCP and provider settings, and trigger command execution if a provider or model is configured.

Impact Analysis

This vulnerability can have a severe impact as it allows attackers to remotely execute commands, read sensitive workspace information, and modify critical settings within the Cline environment. This can lead to unauthorized access, data manipulation, and potentially full compromise of the affected system.

Mitigation Strategies

To mitigate this vulnerability, upgrade Cline to version 3.0.30 or later, where the issue is fixed.

Ensure that the ROOM_SECRET environment variable is set when binding the dashboard server to local 127.0.0.1 addresses to prevent unauthorized access.

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-59723. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart