Vulnerability affects one of the most widely adopted open-source AI coding agents
Today, Oasis Security released vulnerability research on Cline, one of the most widely adopted open-source AI coding agents. Developers trust it with deep access to their environments: source code, terminals, git repositories, cloud credentials, and, increasingly, agent autonomy that lets it act on their behalf without per-step confirmation.
That trust comes with a critical assumption: only the developer, through Cline’s own UI, can communicate with the agent.
Oasis Security researchers found a critical vulnerability (CVSS 9.7) in Cline’s local kanban server. Any website a developer visited while running an affected version could silently connect to their machine, exfiltrate workspace data in real time, and inject commands into the developer’s AI agent. The developer would see nothing unusual. They were just browsing the web.
Oasis reported the finding to Cline before publication. The vulnerability has been fixed in version [0.1.66].
What The Researchers Found
The kanban server opens a WebSocket listener on the developer’s machine for real-time communication between the management UI and AI agent sessions. The problem is that it accepts connections from anywhere. There is no origin check, no authentication token, and no verification that the connecting client is actually the Kanban UI. Any JavaScript running in the developer’s browser can reach it.
WebSockets sit in a well-known blind spot in browser security. Unlike standard HTTP requests, they are not subject to the same-origin policy restrictions enforced by CORS. A page served from any domain on the internet can open a WebSocket connection to localhost, and the browser will allow it. The kanban server, not expecting visitors from the outside, lets them right in.
That single missing check exposes three capabilities to an attacker.
- Real-time intelligence gathering: The moment a cross-origin connection opens, the server sends a full snapshot of the developer’s workspace: filesystem paths, task titles and descriptions, git branch names, and AI agent chat history. It then keeps streaming updates as the developer works. An attacker-controlled webpage silently collects all of it.
- Terminal hijack leading to code execution: The server also exposes a channel that writes directly to the AI agent’s terminal input. When a developer has an AI agent running a task, the attacker’s JavaScript opens this channel and injects a prompt followed by a simulated keypress. The agent treats it as a legitimate user instruction and runs whatever shell command the attacker chose. From the developer’s side, nothing happened. From the attacker’s side, they have a shell.
- Denial of service: A separate control channel allows any connected client to terminate active agent tasks, disrupting the developer’s workflow at will.
The attack surface is broad. Every developer running Cline’s kanban feature is reachable from any webpage they visit. No phishing, no social engineering, no malware install. Just a bit of JavaScript on a page the developer happens to open.
What Security Pros Should Do
- Check whether Cline’s kanban feature is running in your environment. Developers may have adopted it independently, outside your standard tooling inventory.
- Update to the patched release.
- Audit your AI development tools broadly. If one local AI service has this pattern, others likely do too. Inventory every tool that opens a local listener and verify that it validates connection origins.
- Restrict localhost service exposure where possible through host-based firewall rules or endpoint security policies that limit which processes can bind to network ports.
How to Govern the AI Agent Era
AI agents hold credentials, access source code, and execute commands autonomously. The trust boundary between a developer’s browser and their local agent infrastructure is thinner than most organizations realize, and as this research demonstrates, it can be crossed from any webpage on the internet.
Traditional identity and access management were not built for this. Organizations need purpose-built controls: intent analysis that distinguishes legitimate agent actions from injected commands, deterministic policy enforcement, just-in-time-scoped credentials, and a full audit trail from the human to the agent to the action.
