CVE-2026-59723 Overview
Cline is an autonomous coding agent distributed as an SDK, IDE extension, or CLI assistant. CVE-2026-59723 affects the Cline Hub dashboard server launched by the cline dashboard command in versions prior to 3.0.30. The server accepts WebSocket connections on the /browser endpoint without validating the Origin header. When ROOM_SECRET is unset for local 127.0.0.1 binds, the isAuthorizedBrowserRequest() function allows attacker-controlled websites to send desktopCommand frames. This weakness is tracked as [CWE-346] Origin Validation Error.
Critical Impact
A malicious website visited by a developer running Cline Hub can read workspace state, mutate MCP and provider settings, and trigger command execution when a provider or model is configured.
Affected Products
- Cline CLI versions prior to 3.0.30
- Cline Hub dashboard component
- Cline IDE extension components exposing the dashboard server
Discovery Timeline
- 2026-07-08 - CVE-2026-59723 published to NVD
- 2026-07-08 - Last updated in NVD database
Technical Details for CVE-2026-59723
Vulnerability Analysis
The Cline Hub dashboard exposes a WebSocket endpoint at /browser on 127.0.0.1. The endpoint is intended for the local dashboard UI to communicate with the desktop agent. The server relies on isAuthorizedBrowserRequest() to gate incoming frames but does not verify the Origin header on the WebSocket handshake. Browsers permit cross-origin WebSocket connections by default, so any website a developer visits can open a connection to the local loopback socket.
When ROOM_SECRET is not configured — the default for local binds — the authorization check treats the connection as trusted. The attacker's page can then send desktopCommand frames that read workspace state, modify Model Context Protocol (MCP) server configuration, change AI provider settings, and, when a provider or model is already configured, invoke command execution on the developer's host.
Root Cause
The root cause is missing origin validation on the dashboard WebSocket handshake combined with an implicit-trust fallback when ROOM_SECRET is unset. Loopback binding is treated as a security boundary, but browsers can freely originate WebSocket traffic to 127.0.0.1 from any page.
Attack Vector
Exploitation requires a developer to be running cline dashboard locally and to visit an attacker-controlled web page. The page opens a WebSocket to the local dashboard endpoint and issues desktopCommand messages. User interaction is limited to browsing to the malicious URL. Because the scope changes from the browser origin to the local desktop agent, a successful attack can pivot to arbitrary command execution under the developer's account.
// Patch: apps/cline-hub/src/options.ts
+import { isIP } from "node:net";
+
export interface ClineHubServerOptions {
host: string;
port: number;
// Source: https://github.com/cline/cline/commit/d09270940f5746f288cfc4a5039b46a2f4d5d01e
// Patch: apps/cline-hub/src/server.ts — introduces browser-auth module
handleToolApprovalResponse,
rejectOrphanedApprovals,
} from "./server/approvals";
+import { isAuthorizedBrowserToDesktopRequest } from "./server/browser-auth";
import {
browserConfig,
host,
// Source: https://github.com/cline/cline/commit/d09270940f5746f288cfc4a5039b46a2f4d5d01e
The patch introduces host and origin validation via a new isAuthorizedBrowserToDesktopRequest helper and imports isIP from node:net to constrain accepted hosts. See the GitHub Security Advisory GHSA-3cj3-hqcr-g934 for full details.
Detection Methods for CVE-2026-59723
Indicators of Compromise
- Unexpected WebSocket connections to 127.0.0.1 on the Cline Hub dashboard port from browser processes when no dashboard tab is intentionally open.
- Unsolicited modifications to Cline MCP server configuration, provider keys, or model settings on developer workstations.
- Child processes spawned by the Cline dashboard process shortly after browser activity, especially shells or interpreters.
Detection Strategies
- Inspect endpoint telemetry for cline or Node.js processes launching command interpreters after WebSocket activity to the dashboard port.
- Correlate browser network events targeting 127.0.0.1 loopback WebSocket endpoints with subsequent process creation events on the same host.
- Audit Cline configuration files and MCP settings for unauthorized changes and compare against known-good baselines.
Monitoring Recommendations
- Alert on outbound connections initiated by processes spawned as children of the Cline dashboard when the parent command was not user-initiated.
- Monitor developer workstations for the installed Cline version and flag any host running a version below 3.0.30.
- Log and review WebSocket upgrade requests to loopback services where the Origin header does not match the expected local UI origin.
How to Mitigate CVE-2026-59723
Immediate Actions Required
- Upgrade Cline to version 3.0.30 or later on all developer systems that use the SDK, CLI, or IDE extension.
- Stop running cline dashboard on shared or untrusted workstations until the upgrade is applied.
- Rotate any provider API keys or MCP credentials that were configured while a vulnerable version was running.
Patch Information
The issue is fixed in Cline CLI v3.0.30. The fix validates the WebSocket host and Origin header and adds an isAuthorizedBrowserToDesktopRequest check. See the Cline v3.0.30 release notes, the remediation pull request #11724, and the patch commit d0927094.
Workarounds
- Do not launch cline dashboard while browsing untrusted sites on the same host.
- Set a non-empty ROOM_SECRET environment variable so isAuthorizedBrowserRequest() enforces the shared secret on browser-to-desktop frames.
- Restrict outbound browser access on developer workstations that must run older Cline versions, or use a host firewall rule to block non-UI processes from reaching the dashboard port.
# Configuration example: set ROOM_SECRET before starting the dashboard
export ROOM_SECRET="$(openssl rand -hex 32)"
cline dashboard
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

