Critical Vulnerability in Cline AI Coding Agent Patched After Remote Exploitation Risk Discovered A severe security flaw in Cline, a popular open-source AI coding agent, has been patched following the discovery of a CVSS 9.7 vulnerability that could allow attackers to hijack developers' machines, steal sensitive data, and execute arbitrary commands all without user interaction. The vulnerability, identified by Oasis Security, resided in Cline’s local Kanban server, which facilitates real-time communication between the AI agent and its management interface. The server exposed a WebSocket listener on developers' machines but lacked critical security controls, including origin validation, authentication tokens, and CORS protections. This oversight created a browser security blind spot, enabling malicious websites to bypass standard defenses and connect to the server undetected. Once exploited, attackers gained three high-impact capabilities: 1. Real-time intelligence gathering – Malicious JavaScript could extract a full snapshot of the developer’s workspace, including filesystem paths, Git branches, task details, and AI agent chat history. 2. Terminal hijacking & remote code execution – The server’s exposed terminal input channel allowed attackers to inject commands, which the AI agent executed as legitimate instructions, effectively granting unauthorized shell access. 3. Denial-of-service attacks – Threat actors could terminate active AI tasks, disrupting development workflows. The attack required no phishing, malware, or social engineering only a developer visiting a compromised webpage while the vulnerable Kanban server was running. The flaw was responsibly disclosed and patched in Cline version 0.1.66. Given the growing adoption of AI agents with deep system access, security teams are advised to audit similar local listener vulnerabilities and enforce host-based firewalls to restrict unauthorized port binding. The incident underscores the need for specialized access controls to monitor AI agent behavior and prevent command injection.