A critical vulnerability in the Cline Kanban server has been disclosed that allows any website a developer visits to silently exfiltrate workspace data, inject commands into the AI agent's terminal or kill active agent sessions. The flaw, given a CVSS score of 9.7, was identified in a security assessment by Oasis Security, who published a technical analysis of the issue on 7 May 2026.
It affects version 0.1.59 of the Kanban npm package and stems from missing origin validation and authentication on three WebSocket endpoints exposed by the local server. The Kanban server exposes three unauthenticated WebSocket endpoints that handle runtime state, terminal I/O and session control, and on connection the runtime endpoint sends a full snapshot of the developer's environment, including filesystem paths, task data, git history and AI agent chat messages.
The terminal endpoint provides raw bidirectional access to the agent's pseudo-terminal, with messages written directly to the input buffer; none of the endpoints validate the Origin header or require any session token. The issue relies on a localhost trust boundary that browsers do not apply to WebSocket connections to localhost, and updates to version 0.1.66 are recommended. According to Oasis Security, patching to v0.1.66 closes this specific exposure, and auditors advise auditing every AI tool that opens a local listener.