---
id: 2026-06-cline-cve-2026-44211-websocket-rce
title: "Cline CVE-2026-44211 — cross-origin WebSocket hijack → RCE (June 2026)"
date_disclosed: 2026-06-01
last_updated: 2026-06-04
severity: critical
status: active
ecosystems: [vscode-extension, npm]
tools_affected: [Cline (VS Code extension), any developer with Cline ≤ 2.13.0 installed]
tags: [localhost-attacker, websocket-hijack, rce, missing-origin-validation, 1-click]
---

## TL;DR

**CVE-2026-44211** (CVSS 9.7) — Cline (the popular VS Code AI coding agent) starts a WebSocket server on port 3484 with **no authentication and no origin validation**. Any webpage a developer visits can connect to it and execute arbitrary shell commands on their machine. This is a textbook **"localhost is not a security boundary"** 1-click RCE.

## What happened

Cline versions **≤ 2.13.0** launch a local WebSocket server (the Kanban board server) on **port 3484** when the VS Code extension activates. This server:
- Binds to localhost
- Accepts **any WebSocket connection without authentication**
- Does **not check the `Origin` header** of incoming requests

Browsers do not restrict cross-origin WebSocket connections to localhost, so any JavaScript on any webpage the developer visits can silently establish a connection and send commands to the Cline server — which has full access to the developer's file system, shell, and all VS Code workspace permissions.

The vulnerability was published on **2026-06-01** with a CVSS 4.0 score of **9.7**. No public PoC URL at time of writing, but the exploit is trivially constructible from the disclosure.

**Same attack class as:**
- [OpenClaw CVE-2026-25253](2026-01-openclaw-cve-2026-25253-gatewayurl-rce.md) — WebSocket gateway token steal via URL parameter
- [OpenCode CVE-2026-22812](2026-01-opencode-localhost-rce.md) — POST /session/{id}/shell with CORS *
- [Marimo CVE-2026-39987](2026-04-marimo-notebook-rce.md) — unauth /terminal/ws

The root cause is identical across all four: a developer-facing tool assumes that "local port = safe" but the **browser** is the network attacker — any tab the developer opens is LAN-adjacent to every localhost port.

## Am I affected?

```bash
# Check your installed Cline version
code --list-extensions --show-versions | grep saoudrizwan.claude-dev

# Or in VS Code: Extensions panel → Cline → version shown

# If version is ≤ 2.13.0, you are affected while VS Code is open.
```

You are **actively exposed while Cline is running** (i.e., while VS Code is open with the extension active). Any browser tab you visited between installing a vulnerable version and upgrading is a potential attack vector.

## If you are affected

1. **Upgrade Cline immediately** to the version that patches CVE-2026-44211 (check the [Cline changelog](https://github.com/cline/cline/releases) for the first release after 2.13.0 that notes the WebSocket origin fix).
2. **Rotate all credentials** accessible from your VS Code workspace and machine if you had a vulnerable version installed with any browser activity.
3. **Audit shell history** for unexpected commands: `history | tail -100`
4. See [playbooks/auditing-a-vibe-coded-repo.md](../playbooks/auditing-a-vibe-coded-repo.md).

## Prevention

- Keep all VS Code AI agent extensions **current** — most localhost WebSocket vulnerabilities are patched silently via extension auto-updates.
- **Disable silent auto-update** of extensions in VS Code (Extensions → ⚙ gear → "Disable Auto Updating Extensions") and review changelogs before updating.
- Use a browser profile or container separate from your development environment for untrusted web browsing.
- For any AI agent extension, verify it implements:
  - Origin header validation on WebSocket handshake
  - Per-session authentication token

## Sources

- [CybersecurityNews — "Critical 'Cline' AI Agent Vulnerability Enables RCE Attacks"](https://cybersecuritynews.com/cline-ai-agent-vulnerability/) — CVE assignment, CVSS 9.7, technical detail on missing origin validation, port 3484, attack vector.
- [The Hacker News — researcher cluster coverage](https://thehackernews.com/2025/12/researchers-uncover-30-flaws-in-ai.html) — broader AI IDE vulnerability class context (IDEsaster).
- Cross-reference: [2026-01-openclaw-cve-2026-25253-gatewayurl-rce.md](2026-01-openclaw-cve-2026-25253-gatewayurl-rce.md), [2026-01-opencode-localhost-rce.md](2026-01-opencode-localhost-rce.md), [2026-04-marimo-notebook-rce.md](2026-04-marimo-notebook-rce.md).
