Cline Kanban Vulnerability Exposes AI Coding Agents to Web Hijacking
A critical security flaw has been identified in the Cline Kanban server, a widely used open-source AI coding assistant. This vulnerability allows any website visited by a developer to exfiltrate workspace data, inject commands into the AI agent's terminal, or terminate active sessions. The flaw, which has been assigned a CVSS score of 9.7, was discovered by Oasis Security researchers. It affects version 0.1.59 of the Kanban npm package and is due to missing origin validation and authentication on three WebSocket endpoints exposed by the local server. These endpoints handle runtime state, terminal I/O, and session control, and do not validate the Origin header or require session tokens, making them susceptible to exploitation. The issue is compounded by Cline's default 'bypass permissions' flag, which allows the AI agent to execute shell commands without authorization. Oasis Security has recommended disabling this flag and updating to version 0.1.66 to mitigate the risk. 
