Localhost agent hijack: cross-origin WebSocket attacks on AI coding agents
CVE-2026-44211 (CVSS 9.7), disclosed May 7, 2026, shows how a single visit to a malicious page can hijack an AI coding agent running on a developer's laptop. The attack class is generic — and architectural.
What happened
On May 7, 2026, Oasis Security disclosed CVE-2026-44211 (CVSS 9.7), a cross-origin WebSocket hijacking vulnerability in the Cline AI coding assistant. The flaw lives in the kanban npm package shipped with the Cline CLI: the package opens a WebSocket server on 127.0.0.1:3484 to wire the local management UI to running AI agent sessions, and it does so without validating the Origin header and without any authentication token.
Any web page a developer loads in their browser can open a WebSocket to that local endpoint and start talking to the agent. The vulnerability was reported responsibly and patched in Cline 0.1.66. Developers running earlier versions should upgrade immediately.
How the attack class works
The bug is interesting less for its specifics than for the structural pattern it exposes. Browsers enforce CORS on fetch() and XMLHttpRequest, but WebSockets sit outside the same-origin policy: any origin can call new WebSocket("ws://127.0.0.1:3484"), and the browser will let the handshake proceed. The server on the other end is supposed to look at the Origin header and refuse anything that isn’t its own UI. Cline’s server didn’t.
The Cline kanban server exposed three WebSocket channels, each of which broke a different invariant:
- A read channel that, on connection, sent the attacker a snapshot of the workspace — file paths, task titles, git branch, chat history with the agent.
- A terminal-input channel that wrote directly into the active agent’s prompt buffer. An attacker page injects a prompt — for example, “run this build script for me” — followed by a simulated keypress. The agent treats it as a legitimate user instruction and asks its underlying LLM what to do. Because the agent already has shell-execution tools wired up, the result is remote code execution on the developer’s host.
- A control channel that could terminate running agent tasks, providing a denial-of-service vector.
The exploit is a one-line script on any page the developer visits — no XSS, no installed extension, no native exploit. The agent already had the privileges; the attacker just needed to talk to it.
Why this matters
This is the same lethal trifecta — untrusted input, sensitive data, external action — that Simon Willison documented in 2025 and that Meta’s AI Security team turned into the Rule of Two in October 2025. Cline holds all three by design: it runs in the developer’s workspace (sensitive data), it can execute shell commands (external action), and now, via the unauthenticated WebSocket, it accepts untrusted input from any browser tab.
The pattern is generic. Any agent framework that exposes a localhost control plane — for IDE integration, a web dashboard, a debugger — is a candidate for the same bug. Snyk’s follow-up Clinejection analysis shows how the same agent class is also exposed through tainted GitHub Actions outputs that flow back into the agent’s context. The CVE is one instance of a category that will keep appearing.
Defenses
Mitigations are architectural, not heuristic. For agent framework authors:
- Validate the
Originheader on every WebSocket upgrade. Reject anything that isn’t the expected localhost UI origin. This alone closes the drive-by vector. - Generate a per-session secret at server startup, require it on every WebSocket connection as a query parameter or subprotocol token, and never log it.
- Authenticate the terminal channel separately. The channel that can write into the agent’s prompt buffer is, in effect, the highest-privileged surface in the framework. Treat it that way.
- Bind to a Unix domain socket (or Windows named pipe) instead of TCP
127.0.0.1when possible — local-only sockets don’t expose a TCP port that browsers can reach. - Apply the Rule of Two. If the agent must accept untrusted input, drop external action or sensitive data for that session.
For developers running an AI coding agent:
- Upgrade Cline to 0.1.66 or later. Audit any other agent that opens a local port — VS Code extensions, Aider variants, custom MCP gateways — for Origin checks and auth.
- Don’t run an active agent task while browsing arbitrary web content. Treat the agent’s terminal like a privileged shell, because that’s what it is.
- Watch outbound connections from your IDE host. A drive-by hijack typically pivots to network egress within seconds.
Status
| Component | CVE | CVSS | Disclosure | Patched in |
|---|---|---|---|---|
Cline (kanban npm) | CVE-2026-44211 | 9.7 | 2026-05-07 | Cline 0.1.66 |
The deeper lesson: a localhost port is a public attack surface the moment a browser is on the same machine. Agent frameworks that grew out of developer-tools culture are still rediscovering what the WebSec community has known for a decade. Until that knowledge transfers, expect more cross-origin agent hijack CVEs through 2026.
Sources
- → https://www.oasis.security/blog/cline-kanban-websocket-hijack
- → https://advisories.gitlab.com/npm/cline/CVE-2026-44211/
- → https://www.infosecurity-magazine.com/news/cline-kanban-websocket-hijack-ai/
- → https://gbhackers.com/cline-kanban-websocket-vulnerability/
- → https://snyk.io/blog/cline-supply-chain-attack-prompt-injection-github-actions/