Cline CVE-2026-44211 — cross-origin WebSocket hijack → RCE (June 2026)
TL;DR
CVE-2026-44211 (CVSS 9.7) — Cline (the popular VS Code AI coding agent) starts a WebSocket server on port 3484 with no authentication and no origin validation. Any webpage a developer visits can connect to it and execute arbitrary shell commands on their machine. This is a textbook "localhost is not a security boundary" 1-click RCE.
What happened
Cline versions ≤ 2.13.0 launch a local WebSocket server (the Kanban board server) on port 3484 when the VS Code extension activates. This server:
- Binds to localhost
- Accepts any WebSocket connection without authentication
- Does not check the Origin header of incoming requests
Browsers do not restrict cross-origin WebSocket connections to localhost, so any JavaScript on any webpage the developer visits can silently establish a connection and send commands to the Cline server — which has full access to the developer's file system, shell, and all VS Code workspace permissions.
The vulnerability was published on 2026-06-01 with a CVSS 4.0 score of 9.7. No public PoC URL at time of writing, but the exploit is trivially constructible from the disclosure.
Same attack class as: - OpenClaw CVE-2026-25253 — WebSocket gateway token steal via URL parameter - OpenCode CVE-2026-22812 — POST /session/{id}/shell with CORS * - Marimo CVE-2026-39987 — unauth /terminal/ws
The root cause is identical across all four: a developer-facing tool assumes that "local port = safe" but the browser is the network attacker — any tab the developer opens is LAN-adjacent to every localhost port.
Am I affected?
# Check your installed Cline version
code --list-extensions --show-versions | grep saoudrizwan.claude-dev
# Or in VS Code: Extensions panel → Cline → version shown
# If version is ≤ 2.13.0, you are affected while VS Code is open.
You are actively exposed while Cline is running (i.e., while VS Code is open with the extension active). Any browser tab you visited between installing a vulnerable version and upgrading is a potential attack vector.
If you are affected
- Upgrade Cline immediately to the version that patches CVE-2026-44211 (check the Cline changelog for the first release after 2.13.0 that notes the WebSocket origin fix).
- Rotate all credentials accessible from your VS Code workspace and machine if you had a vulnerable version installed with any browser activity.
- Audit shell history for unexpected commands:
history | tail -100 - See playbooks/auditing-a-vibe-coded-repo.md.
Prevention
- Keep all VS Code AI agent extensions current — most localhost WebSocket vulnerabilities are patched silently via extension auto-updates.
- Disable silent auto-update of extensions in VS Code (Extensions → ⚙ gear → "Disable Auto Updating Extensions") and review changelogs before updating.
- Use a browser profile or container separate from your development environment for untrusted web browsing.
- For any AI agent extension, verify it implements:
- Origin header validation on WebSocket handshake
- Per-session authentication token
Sources
- CybersecurityNews — "Critical 'Cline' AI Agent Vulnerability Enables RCE Attacks" — CVE assignment, CVSS 9.7, technical detail on missing origin validation, port 3484, attack vector.
- The Hacker News — researcher cluster coverage — broader AI IDE vulnerability class context (IDEsaster).
- Cross-reference: 2026-01-openclaw-cve-2026-25253-gatewayurl-rce.md, 2026-01-opencode-localhost-rce.md, 2026-04-marimo-notebook-rce.md.