Cline AI agent CVE-2026-44211 allows unauthenticated WebSocket hijack and RCE

Timeline

1. 2026-05-08

   Researcher Sagilayani publicly discloses CVE-2026-44211 via GitHub Security Advisory GHSA-5c57-rqjx-35g2 with full PoC.

2. 2026-05-08

   CVSS 9.3 Critical assigned. Affects all Cline versions before v2.13.0. CWE-306 + CWE-1385. No patch available at disclosure.

3. 2026-05-08

   PoC demonstrates full chain: workspace data leak → session detection → terminal hijack → RCE with macOS native dialog as proof of execution.

4. 2026-05-09

   GBHackers and security press cover the vulnerability; developers warned to disable kanban feature in untrusted network environments.

5. 2026-05-12

   No patched kanban package version available as of signal scan. Researcher recommends Origin validation, startup token, and terminal endpoint authentication as fixes.

Technical breakdown

• Three WebSocket endpoints (/api/runtime/ws, /api/terminal/io, /api/terminal/control) accept connections from any origin with no authentication or Origin header validation.
• WebSocket connections bypass browser CORS restrictions by design — any webpage can initiate a cross-origin WebSocket to localhost, making this exploitable passively from any tab visit.
• The /api/terminal/io endpoint writes raw bytes directly to the agent PTY; attacker input reaches the terminal identically to legitimate user input with no agent-layer gate in the path.
• The /api/runtime/ws endpoint immediately streams a full workspace snapshot — filesystem paths, git branches, task details, live AI chat — to any connecting client with no request required.
• Root cause is CWE-306 (Missing Authentication for Critical Function) + CWE-1385 (Missing Origin Validation in WebSockets) — both absent simultaneously creates full unauthenticated RCE from any browser tab.