CVE-2026-30313 Overview
DSAI-Cline's command auto-approval module contains a critical OS command injection vulnerability (CWE-94) that renders its whitelist security mechanism completely ineffective. The system relies on string-based parsing to validate commands; while it intercepts dangerous operators such as ;, &&, ||, |, and command substitution patterns, it fails to account for raw newline characters embedded within the input. An attacker can construct a payload by embedding a literal newline between a whitelisted command and malicious code (e.g., git log\nmalicious_command), forcing DSAI-Cline to misidentify it as a safe operation and automatically approve it. The underlying PowerShell interpreter treats the newline as a command separator, executing both commands sequentially, resulting in Remote Code Execution without any user interaction.
Critical Impact
This vulnerability allows unauthenticated remote attackers to achieve full Remote Code Execution by bypassing the command whitelist security mechanism through newline character injection, with no user interaction required.
Affected Products
- DSAI-Cline (cline-DSAI) - Command Auto-Approval Module
Discovery Timeline
- 2026-03-30 - CVE-2026-30313 published to NVD
- 2026-04-01 - Last updated in NVD database
Technical Details for CVE-2026-30313
Vulnerability Analysis
This vulnerability falls under CWE-94 (Improper Control of Generation of Code - Code Injection). The core issue lies in DSAI-Cline's incomplete input sanitization within its command auto-approval mechanism. The security module was designed to prevent execution of dangerous shell commands by maintaining a whitelist of allowed operations and blocking known command chaining operators. However, the validation logic operates on string matching that fails to recognize newline characters (\n, \r\n) as effective command separators in PowerShell environments.
When a user or automated process submits a command for auto-approval, DSAI-Cline parses the input string to check for dangerous patterns. The parser successfully catches common shell injection techniques like semicolons and logical operators, but the developers overlooked that raw newline bytes serve the same purpose in PowerShell. This allows an attacker to prepend any whitelisted command (such as git log or ls) followed by a literal newline and arbitrary malicious code, which will pass validation but execute both commands when processed by the underlying shell.
Root Cause
The root cause is insufficient input validation in the command auto-approval module. Specifically, the whitelist validation logic uses pattern matching that only accounts for visible ASCII command separators while ignoring control characters like newlines. When the validated command string is passed to PowerShell for execution, the interpreter recognizes the embedded newline as a statement terminator, effectively allowing the attacker to chain arbitrary commands after the whitelisted prefix.
Attack Vector
The attack vector is network-based with no authentication or user interaction required. An attacker can exploit this vulnerability by:
- Identifying a whitelisted command that DSAI-Cline automatically approves (e.g., git log, git status)
- Constructing a malicious payload that begins with the whitelisted command followed by a literal newline character
- Appending arbitrary shell commands after the newline (e.g., reverse shell, file exfiltration, system modification commands)
- Submitting the crafted payload to DSAI-Cline's command execution interface
Because DSAI-Cline only examines the portion before the newline, it identifies the command as whitelisted and approves execution. PowerShell then interprets the payload as two separate commands, executing both the benign whitelisted command and the malicious injected code. This results in complete Remote Code Execution on the target system with whatever privileges the DSAI-Cline process operates under.
For technical details regarding the vulnerability mechanism, refer to the GitHub Issue Discussion and the DSAI-Cline Project Repository.
Detection Methods for CVE-2026-30313
Indicators of Compromise
- Unusual command strings containing embedded newline characters (%0a, %0d%0a, or literal newlines) in application logs
- DSAI-Cline auto-approval logs showing commands that were approved but contain unexpected multi-line content
- PowerShell execution history revealing commands that weren't explicitly initiated by users
- Evidence of reconnaissance or post-exploitation activity following auto-approved commands
Detection Strategies
- Implement logging that captures the full raw command string including control characters before and after validation
- Monitor PowerShell transcription logs for execution of unexpected commands occurring immediately after whitelisted operations
- Deploy endpoint detection rules to alert on newline injection patterns in command arguments
- Review DSAI-Cline configuration and logs for signs of exploitation or unusual command approval patterns
Monitoring Recommendations
- Enable verbose logging for DSAI-Cline's command auto-approval module to capture the complete command input including non-printable characters
- Configure SIEM rules to detect URL-encoded newline sequences (%0a, %0d) in command submissions
- Implement anomaly detection for command execution patterns that deviate from expected user behavior
- Monitor network traffic for signs of reverse shells or data exfiltration following auto-approved command execution
How to Mitigate CVE-2026-30313
Immediate Actions Required
- Disable the command auto-approval feature in DSAI-Cline until a patch is available
- Implement network segmentation to limit exposure of systems running DSAI-Cline
- Review recent command execution logs for signs of exploitation
- Consider implementing additional input sanitization at the application perimeter that strips or rejects commands containing newline characters
Patch Information
As of the last update on 2026-04-01, no official patch information is available. Monitor the DSAI-Cline Project Repository for security updates and patch releases. Organizations should prioritize upgrading to patched versions as soon as they become available.
Workarounds
- Disable the auto-approval feature entirely and require manual approval for all commands
- Implement a proxy layer that sanitizes input by removing or rejecting newline characters before passing commands to DSAI-Cline
- Restrict network access to DSAI-Cline to trusted IP addresses only
- Run DSAI-Cline with minimal privileges to reduce the impact of successful exploitation
# Example: Disable auto-approval in DSAI-Cline configuration
# Modify the configuration file to disable automatic command approval
# Location may vary based on installation
# Set auto_approve_commands to false or remove whitelisted commands
# Example configuration adjustment (syntax may vary):
# auto_approve_commands: false
# command_whitelist: []
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
