The Intake — Monday, May 11, 2026

A cross-origin WebSocket hijacking flaw in Cline's kanban server feature gave any website a developer visited during an active session a path into their local AI coding agent. Sagi Layani at Oasis Security disclosed CVE-2026-44211 on May 7. Oasis Security scores the flaw CVSS 9.7; the GHSA-5c57-rqjx-35g2 advisory scores it 9.6. The affected component is the npm package kanban. Versions ≤ 2.13.0 are affected.

The kanban server opens a WebSocket listener on 127.0.0.1:3484. It applies no origin validation, no authentication tokens, and no client verification. WebSockets are not subject to the same-origin policy that blocks ordinary cross-origin HTTP requests. That means JavaScript running on any page a developer visits can open a connection to the port without restriction.

Three endpoints carry the attack surface: /api/runtime/ws, /api/terminal/io, and /api/terminal/control. On cross-origin connection, the runtime endpoint emits a full snapshot of the developer's workspace — filesystem paths, task descriptions, git branches, and agent chat history. The snapshot streams continuously. The terminal-IO endpoint accepts direct prompt and keypress injection into the AI agent. That injection path produces arbitrary shell-command execution. No action from the developer is required.

Cline patched the vulnerability in version 0.1.66. The CWE classifications are CWE-306 (Missing Authentication for Critical Function) and CWE-1385 (Missing Origin Validation in WebSockets). The kanban server was built to give a developer a local project view. By design, it was also a socket any browser tab could open.

Azure SRE Agent has an improper authentication flaw. An unauthorized attacker can use it to disclose information over the network. CVE-2026-32173 was published April 3, 2026. The advisory scores it CVSS 8.6 High.

The advisory's access conditions are network attack, no privileges required, and no user interaction. Scope change and high confidentiality impact are the notable vector attributes; integrity and availability are unaffected. MSRC is listed as an upstream source in the GHSA-85hw-hqj5-m956 advisory. The CWE classifications are CWE-287 (Improper Authentication) and CWE-863 (Incorrect Authorization).

The disclosure is attributed to Yanir Tsarimi at Enclave AI. Tsarimi framed the vulnerability against the service's preview period. Organizations that ran Azure SRE Agent during that window may have had configuration or credential data reachable to any account that connected. Affected and patched versions are not listed in the GitHub-reviewed advisory record.