system: OPERATIONAL
← back to all hacks
AGENTS CRITICAL NEW

Cline's Hub dashboard: loopback mistaken for authentication, again

A July 8, 2026 advisory shows the Cline Hub dashboard exposes a local WebSocket with no Origin check and a shared secret disabled by default — the second cross-origin WebSocket flaw in Cline in two months.

2026-07-16 // 6 min affects: cline, ai-coding-agents, local-agent-servers, mcp

What is this?

On July 8, 2026, the Cline project published a security advisory for its Hub dashboard — the local server started by the cline dashboard command in versions before 3.0.30. The dashboard exposes a WebSocket endpoint at /browser on 127.0.0.1:8787 so the browser-based UI can talk to the desktop agent. The flaw: the server never validates the HTTP Origin header on the WebSocket handshake, and the shared secret meant to gate that channel is unset by default on local binds. The result is arbitrary command execution on a developer’s machine triggered by nothing more than visiting a malicious web page.

This is the second cross-origin WebSocket issue disclosed in Cline in roughly two months, after the earlier flaw in its Kanban server. The recurrence is the real story: loopback binding keeps being treated as an authentication boundary when it is not one.

How it works

Browsers freely allow cross-origin WebSocket connections. The same-origin policy that blocks cross-site fetch reads does not stop a page at evil.example from opening ws://127.0.0.1:8787/browser. That is by design in the web platform, which is exactly why local services must verify the Origin header themselves.

The Hub dashboard delegates that decision to a function called isAuthorizedBrowserRequest(). When the ROOM_SECRET environment variable is not set — the default for a local 127.0.0.1 bind — the function returns true unconditionally. Every incoming connection is accepted as if it came from the legitimate dashboard tab. From there the attacker’s page sends desktopCommand frames that read workspace and session state, rewrite Model Context Protocol (MCP) server configuration, and change AI provider and model settings.

The pivot to code execution comes from a second default: dashboard sessions run with autoApprove: true for all tools. Once a provider or model is configured, an injected command runs without a human approval step. Two independent “safe by default” assumptions — loopback is trusted, tools are auto-approved — compose into a full remote-code-execution path.

Why it matters

Local agent servers are becoming a standard part of the AI coding stack, and each one that binds to loopback inherits this exact exposure. A developer only has to have the dashboard running and then browse the web normally; the malicious page needs no credentials and no prior access. Because the scope changes from a browser origin to the developer’s desktop account, the blast radius includes source code, cloud credentials stored as provider keys, and anything the agent’s tools can reach.

The disclosure lands amid a run of similar findings across coding agents in July 2026, where the common denominator is a locally bound service that assumes the loopback interface is a trust boundary. It is not: any origin the browser loads can send traffic to it.

Defenses

  • Upgrade to Cline 3.0.30 or later. The fix adds host and Origin validation through a new isAuthorizedBrowserToDesktopRequest check and constrains accepted hosts using isIP from Node’s net module.
  • Set a strong ROOM_SECRET before starting the dashboard if you must run an older build, so the authorization check enforces a shared secret instead of trusting every connection (export ROOM_SECRET="$(openssl rand -hex 32)").
  • Do not run the dashboard while browsing untrusted sites on the same host, and prefer not to leave it running unattended.
  • Validate Origin on every local WebSocket, and treat loopback as untrusted. Reject handshakes whose origin does not match the expected local UI; do not rely on 127.0.0.1 binding as authentication.
  • Reconsider blanket auto-approval. Tool calls that can execute commands should not default to autoApprove: true; keep a human gate for the actions that matter.
  • Rotate provider API keys and MCP credentials configured while a vulnerable version was running, and watch for agent processes spawning shells shortly after browser activity.

Status

ItemValue
ReferenceCVE-2026-59723 / GHSA-3cj3-hqcr-g934
AffectedCline Hub dashboard, CLI/SDK/IDE extension before v3.0.30
Root causeMissing Origin validation + ROOM_SECRET unset by default (CWE-346)
SeverityCVSS 8.8 (High); EPSS ~0.14%; not in CISA KEV
Fixed inCline CLI v3.0.30
PublishedJuly 8, 2026 (NVD)

Key dates: July 8, 2026 — advisory and NVD publication. Fix shipped in Cline CLI v3.0.30. Related prior issue: the Cline Kanban cross-origin WebSocket flaw disclosed the previous month.

Sources