Cline WebSocket Hijack Vulnerability in Kanban Server

A cross-origin WebSocket hijack vulnerability has been identified in Cline Kanban servers, specifically in versions prior to 2.13.0. This vulnerability allows any website visited by a developer to silently connect to the Kanban server's WebSocket endpoints without Origin header validation. As a result, sensitive data can be leaked in real-time, including workspace filesystem paths, task details, git branch information, and AI agent chat messages. Additionally, the vulnerability enables hijacking of active AI agent terminals by injecting prompts, leading to remote code execution. It also allows termination of running agent tasks via a control WebSocket.

Impact

Exploitation of this vulnerability results in unauthorized access to sensitive workspace information, real-time data leakage, hijacking of AI agent terminals with potential for remote code execution, and the ability to disrupt active agent tasks, causing a denial-of-service effect on the AI agent's functionality.

Reproduction

The vulnerability can be reproduced by running a Cline Kanban server locally and then visiting a maliciously crafted webpage that connects to the WebSocket server. The cross-origin connection is established without any validation, allowing the attacker to access sensitive information and hijack AI agent sessions.

Remediation

To address this vulnerability, it is recommended to validate the Origin header on all WebSocket upgrade requests, require a session token for WebSocket connections, and authenticate terminal WebSocket connections to ensure they originate from the legitimate Kanban UI.