CybersecurityVulnerability Management

Cline Kanban Flaw Exposes AI Coding Agents to Website Hijacking

Analyst 207||Source: InfoSecMag
Cluttered developer workstation with laptop and monitor in shared office space.

"This vulnerability required no phishing, no malware, and no social engineering," said Trey Ford, chief strategy and trust officer at Bugcrowd.

The flaw in Cline Kanban's WebSocket endpoints

Researchers at Oasis Security disclosed a critical vulnerability in the Cline Kanban feature that lets any website visited by a developer silently interact with the local AI agent. The issue affects version 0.1.59 of the Kanban npm package and carries a CVSS score of 9.7. Kanban provides a web-based project management interface backed by a local HTTP and WebSocket server on port 3484; that server exposes three WebSocket endpoints that handle runtime state, terminal I/O and session control.

Oasis found that none of those endpoints validated the Origin header on the WebSocket upgrade request or required any session token. The maintainers implicitly assumed that binding the server to 127.0.0.1 would confine access to the local machine, but, Oasis notes, browsers do not enforce cross-origin restrictions on WebSocket connections to localhost the way they do for standard HTTP requests.

How a webpage can hijack an AI agent

The technical chain described by Oasis moves from passive reconnaissance to remote code execution entirely from JavaScript on any webpage the developer visits while Cline is running. On connection, the runtime endpoint sends a full snapshot of the developer's environment — including filesystem paths, task data, git history and AI agent chat messages — which a malicious page can harvest to learn what to target.

With that context, an attacker-controlled page can identify an active task ID and then connect to the terminal endpoint. The terminal endpoint provides raw bidirectional access to the agent's pseudo-terminal, with messages written directly to the input buffer. A hostile page can push commands there that the agent will process as if typed by the user, enabling execution of arbitrary commands on the host.

The bypass permissions default and its amplifying effect

The risk is compounded by Cline's default "bypass permissions" flag. When enabled, the AI agent is allowed to execute shell commands and modify the filesystem without per-action authorization. Oasis specifically recommended disabling the bypass permissions setting in the application to reduce the attack surface.

Because the endpoints required neither origin validation nor authentication, a single webpage visit while Cline was running could yield workspace exfiltration, terminal command injection, or forced session termination — all without traditional attacker effort such as phishing or malware delivery.

Patching, disclosure, and the pattern Oasis documented earlier

Oasis Security reported the findings to Cline before publishing its technical analysis on May 7. The maintainers patched the specific issue: updating Cline to version 0.1.66 closes this exposure. Trey Ford emphasized that while patching Cline addresses one package, "Auditing every AI tool that opens a local listener is the actual job to be done."

Oasis also linked this vulnerability to a prior body of work it published under the name OpenClaw, saying the same localhost-as-trust-boundary error recurs across AI coding agent platforms. That earlier pattern suggests the problem is not unique to a single package but a recurring architectural assumption — that a local listener is inherently trustworthy.

What this means for developers, open-source maintainers, and end users

  • Developers and security teams: If Cline Kanban version 0.1.59 is in use, upgrade to v0.1.66 and consider disabling the bypass permissions flag. Audit any tool you use that opens a local HTTP or WebSocket listener for missing origin checks or authentication.
  • Open-source maintainers and product owners: Re-examine assumptions about 127.0.0.1 as a trust boundary, add Origin header validation and session authentication to local endpoints, and provide secure defaults (for example, disabling bypass permissions).
  • End users (developers running local AI agents): Be aware that merely visiting a webpage while a vulnerable local listener is active can expose workspace data and allow injected commands; apply the provided patch and follow vendor guidance.

Oasis's disclosure and the subsequent patch close a specific and severe exposure, but the underlying pattern — trusting localhost listeners without origin or authentication checks — remains. As Trey Ford put it, patching one package is necessary, but auditing every AI tool that opens a local listener is the work that follows.

Original reporting: https://www.infosecurity-magazine.com/news/cline-kanban-websocket-hijack-ai/

Emerging ThreatsSupply ChainVulnerabilityZero-DayCVSSNPM PackageWebsite HijackingAI Coding AgentsCline KanbanWebsocket Endpoints
Related Intelligence

Continue Reading

Close-up of a smartphone's circuit board with blurred background, components out of focus.

BootROM Exploit Targets Millions of iPhones

Millions of iPhones are vulnerable to a newly discovered BootROM exploit, known as "usbliter8", that can't be fixed with software updates because it's embedded in the device's hardware. This means iPhones with A12 and A13 processors will be at risk for the rest of their lifespan.

Analyst 207
Blurred laptop screen on office table surrounded by coworkers.

AI Agents Emerge as Unchecked Identities in Enterprise Security

The equation for enterprise security is no longer simple: with AI agents now connected to critical business services, controlling identities is no longer enough to control risk. These emerging insiders have quietly become privileged - and potentially invisible - attack paths that security and identity programs must urgently address.

Analyst 207
Security analysts work at computer workstations and a large wall screen in a brightly-lit operations center.

AI Shifts Threat Management from Reactive to Proactive Stance

With a sprawling security stack of 40+ tools, enterprise teams are drowning in overlapping alerts and manual handoffs, leaving gaping holes for adversaries to exploit. This disjointed approach leaves teams scrambling to respond to threats, with attackers enjoying a lengthy 43-day window to wreak havoc.

Analyst 207
Windows desktop with Recycle Bin open, showing a file and a confirmation dialog with a partially obscured filename.

Microsoft Updates Trigger Recycle Bin Filename Glitch

Microsoft just revealed a frustrating glitch in the Recycle Bin that displays a confusing filename when you permanently delete an item, showing a cryptic code instead of the file's original name. Luckily, the issue only affects the deletion confirmation dialog and doesn't change the file's name in the Recycle Bin or when it's restored.

Analyst 207