{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata. Fed continuously.","feed_url":"https://feed.craftedsignal.io/products/cline/","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cpes":[],"_cs_cves":[],"_cs_exploited":false,"_cs_has_poc":false,"_cs_poc_references":[],"_cs_products":["cline","kanban (\u003c= 2.13.0)"],"_cs_severities":["critical"],"_cs_tags":["websocket","cross-origin","rce","infoleak","dos"],"_cs_type":"advisory","_cs_vendors":["npm","cline"],"content_html":"\u003cp\u003eThe \u003ccode\u003ekanban\u003c/code\u003e npm package (used by the \u003ccode\u003ecline\u003c/code\u003e CLI) starts a WebSocket server on \u003ccode\u003e127.0.0.1:3484\u003c/code\u003e with no Origin header validation, allowing any website a developer visits to silently connect to the kanban server via WebSocket. This vulnerability, present in kanban version 0.1.59 and cline up to version 2.13.0, enables attackers to leak sensitive data in real-time, including workspace filesystem paths, task titles/descriptions, and git branch info. Furthermore, attackers can hijack running AI agent terminals by injecting arbitrary prompts, leading to remote code execution, and kill running agent tasks by terminating active sessions via the control WebSocket. This vulnerability poses a significant risk to developers using the \u003ccode\u003ecline\u003c/code\u003e CLI, as it allows for complete compromise of their local development environment.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAttacker hosts a malicious website.\u003c/li\u003e\n\u003cli\u003eVictim visits the attacker-controlled website while running a vulnerable version of Cline with Kanban.\u003c/li\u003e\n\u003cli\u003eThe malicious website establishes a WebSocket connection to \u003ccode\u003ews://127.0.0.1:3484/api/runtime/ws\u003c/code\u003e on the victim\u0026rsquo;s machine.\u003c/li\u003e\n\u003cli\u003eThe server sends a snapshot of the developer\u0026rsquo;s workspace, leaking sensitive information, including file paths, task details, and Git information.\u003c/li\u003e\n\u003cli\u003eThe attacker monitors the runtime WebSocket for \u003ccode\u003etask_sessions_updated\u003c/code\u003e messages to detect running AI agent sessions.\u003c/li\u003e\n\u003cli\u003eUpon detecting a running session, the attacker connects to \u003ccode\u003ews://127.0.0.1:3484/api/terminal/io\u003c/code\u003e and injects a malicious prompt followed by a carriage return.\u003c/li\u003e\n\u003cli\u003eThe injected prompt is executed by the AI agent, leading to remote code execution.\u003c/li\u003e\n\u003cli\u003eAlternatively, the attacker could connect to \u003ccode\u003ews://127.0.0.1:3484/api/terminal/control\u003c/code\u003e and send a \u0026ldquo;stop\u0026rdquo; message to terminate the task.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eThe vulnerability allows for information disclosure by leaking sensitive development environment data, including workspace paths, task content, and Git branches, streamed in real-time from any website. It also enables remote code execution through terminal hijacking, where commands are injected into the AI agent when a task is active. Finally, it permits denial of service by killing any running agent task via the control WebSocket. Attack requirements: The victim must have Cline Kanban running and visit an attacker-controlled webpage.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eDeploy the following Sigma rule to detect connections to the exposed WebSocket endpoints (ws_connection_kanban_api).\u003c/li\u003e\n\u003cli\u003eBlock access to the malicious PoC URL \u003ccode\u003ehttp://cline.sagilayani.com:1337/?key=clinevuln2026\u003c/code\u003e at the network perimeter based on the IOC list.\u003c/li\u003e\n\u003cli\u003eApply the recommended fixes by the vendor, including validating the Origin header on WebSocket upgrade requests and requiring a session token.\u003c/li\u003e\n\u003cli\u003ePatch CVE-2026-44211 by updating \u003ccode\u003ecline\u003c/code\u003e to a version greater than 2.13.0.\u003c/li\u003e\n\u003cli\u003eMonitor network connections to \u003ccode\u003e127.0.0.1:3484\u003c/code\u003e to identify potential exploitation attempts using network_connection logs based on the IOC list.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-03T12:00:00Z","date_published":"2024-01-03T12:00:00Z","id":"/briefs/2024-01-cline-kanban-websocket-hijacking/","summary":"The `kanban` npm package, used by the `cline` CLI, has a cross-origin WebSocket hijacking vulnerability. Due to the lack of Origin header validation, any website can connect to the kanban server via WebSocket and leak sensitive data, hijack running AI agent terminals leading to remote code execution, or kill running agent tasks, resulting in information disclosure, RCE, and denial of service.","title":"Cline Kanban Server Cross-Origin WebSocket Hijacking Vulnerability","url":"https://feed.craftedsignal.io/briefs/2024-01-cline-kanban-websocket-hijacking/"}],"language":"en","title":"CraftedSignal Threat Feed — Cline","version":"https://jsonfeed.org/version/1.1"}