Cline disclosed and fixed CVE-2026-59723, a high-severity cross-origin WebSocket hijacking flaw in the Hub dashboard server started by the cline dashboard command. In versions before 3.0.30, the /browser WebSocket endpoint failed to properly validate the Origin header, and authorization could be bypassed when ROOM_SECRET was unset for local 127.0.0.1 binds. A malicious website could abuse the weakness to send desktopCommand frames to the local dashboard, exposing workspace state, changing MCP and provider settings, and potentially triggering command execution when a provider or model was configured.
The fix landed through pull request #11724 and commit d09270940f5746f288cfc4a5039b46a2f4d5d01e, which added host and origin allowlists, enforced authentication for WebSocket upgrades, unsafe HTTP methods, and non-public routes, and required a matching room secret when configured. The patch also normalized public URL handling for localhost and direct IP access, while tests were added to verify trusted local origins and reject untrusted hosts and origins. Cline advised users to upgrade to 3.0.30, set ROOM_SECRET when the dashboard is not strictly local, validate origins, and limit provider and model configurations to reduce exposure.

Mallory correlates global threat intelligence with your attack surface — know if you’re exposed before adversaries strike.
3 events from the most recent confirmed update back to the earliest known activity.
The CVE for a high-severity cross-origin WebSocket hijacking vulnerability in Cline before version 3.0.30 was published. The advisory states the issue affects the `/browser` endpoint in the Cline Hub dashboard and is fixed in version 3.0.30.
A source code commit added browser-to-desktop request authorization controls to the Cline Hub dashboard server, including host and origin allowlists, authentication for WebSocket upgrades and non-public routes, and related tests.
A pull request was published showing changes to tighten browser-to-server WebSocket and HTTP request validation in the Cline Hub dashboard, including Host and Origin checks and optional roomSecret enforcement for sensitive requests.
Vulnerabilities, threat actors, malware, products, organizations, and breaches Mallory has linked to this story.
3 references tracked. Mallory keeps watching after this page renders.
cvefeed.io
Open sourcegithub.com
Open sourcegithub.com
Open sourceMap indicators from this story to your assets and identify affected systems in minutes.
Every observed campaign, victim, and pivot linked to actors named in this story.
Malware, exploits, and IOCs connected to the activity described here.
YARA, Sigma, and Snort rules deployed to your SIEM as soon as they’re published.
Get matching new stories delivered to your team as they break — not the next morning.
Ask questions about this story and take action on the answers.