Cline Kanban Server has a Cross-Origin WebSocket Hijacking Vulnerability
- Severity:
- High
Description
The kanban npm package (used by the cline CLI) starts a WebSocket server on 127.0.0.1:3484 with no Origin header validation. Any website a developer visits can silently connect to the kanban server via WebSocket and:
1.
Recommendation
No fix is available yet. Followings are affected versions:
- <= 2.13.0
References
Related Issues
- webpack-dev-server vulnerable to cross-origin source code exposure on non-HTTPS origins - CVE-2026-6402
- Storybook Dev Server is Vulnerable to WebSocket Hijacking - CVE-2026-27148
- Parse Server has a Cross-Site Scripting (XSS) vulnerability via Unescaped Mustache Template Variables - CVE-2025-68115
- Undici has Unhandled Exception in WebSocket Client Due to Invalid server_max_window_bits Validation - CVE-2026-2229
You might also like:
- Tags:
- npm
- cline
Anything's wrong? Let us know Last updated on May 08, 2026