CVE-2026-59723

Source
https://cve.org/CVERecord?id=CVE-2026-59723
Import Source
https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-59723.json
JSON Data
https://api.osv.dev/v1/vulns/CVE-2026-59723
Aliases
  • GHSA-3cj3-hqcr-g934
Published
2026-07-08T22:25:01.453Z
Modified
2026-07-15T01:48:59.555807775Z
Severity
  • 8.8 (High) CVSS_V3 - CVSS:3.1/AV:A/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H CVSS Calculator
Summary
Cline: Cross-Origin WebSocket Hijacking in Cline Hub Dashboard (`/browser` endpoint)
Details

Cline is an autonomous coding agent as an SDK, IDE extension, or CLI assistant. Prior to 3.0.30, the Cline Hub dashboard server launched by the cline dashboard command accepts WebSocket connections on the /browser endpoint without validating the Origin header, and when ROOM_SECRET is unset for local 127.0.0.1 binds, isAuthorizedBrowserRequest() allows attacker-controlled websites to send desktopCommand frames that read workspace state, mutate MCP and provider settings, and trigger command execution when a provider or model is configured. This issue is fixed in version 3.0.30.

Database specific
{
    "cwe_ids": [
        "CWE-346"
    ],
    "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/59xxx/CVE-2026-59723.json",
    "cna_assigner": "GitHub_M"
}
References

Affected packages

Git / github.com/cline/cline

Affected ranges

Type
GIT
Repo
https://github.com/cline/cline
Events
Introduced
0 Unknown introduced commit / All previous commits are affected
Fixed
Fixed
Database specific
{
    "extracted_events": [
        {
            "introduced": "0"
        },
        {
            "fixed": "3.0.30"
        }
    ],
    "source": [
        "AFFECTED_FIELD",
        "REFERENCES"
    ]
}

Affected versions

Other
cli-build-024bb65
cli-build-4d455ea
cli-build-6278382
cli-build-6b07e8c
cli-build-a03642b
cli-build-b2bfc3d
nightly-main-20260622175622-ee59f8170698
nightly-main-20260624070737-c5378d1847ac
nightly-main-20260624190005-8ecd136e5265
nightly-main-20260624210220-bd662d81f6f5
nightly-main-20260626011511-78f173672361
cli-v3.*
cli-v3.0.0
cli-v3.0.1
cli-v3.0.10
cli-v3.0.11
cli-v3.0.12
cli-v3.0.13
cli-v3.0.14
cli-v3.0.15
cli-v3.0.16
cli-v3.0.17
cli-v3.0.18
cli-v3.0.19
cli-v3.0.2
cli-v3.0.20
cli-v3.0.21
cli-v3.0.22
cli-v3.0.23
cli-v3.0.24
cli-v3.0.25
cli-v3.0.26
cli-v3.0.27
cli-v3.0.28
cli-v3.0.29
cli-v3.0.3
cli-v3.0.4
cli-v3.0.5
cli-v3.0.6
cli-v3.0.7
cli-v3.0.8
cli-v3.0.9
sdk/agents/v0.*
sdk/agents/v0.0.40
sdk/agents/v0.0.41
sdk/agents/v0.0.42
sdk/agents/v0.0.43
sdk/agents/v0.0.44
sdk/agents/v0.0.45
sdk/agents/v0.0.46
sdk/agents/v0.0.47
sdk/agents/v0.0.48
sdk/agents/v0.0.49
sdk/agents/v0.0.50
sdk/agents/v0.0.51
sdk/agents/v0.0.52
sdk/core/v0.*
sdk/core/v0.0.40
sdk/core/v0.0.41
sdk/core/v0.0.42
sdk/core/v0.0.43
sdk/core/v0.0.44
sdk/core/v0.0.45
sdk/core/v0.0.46
sdk/core/v0.0.47
sdk/core/v0.0.48
sdk/core/v0.0.49
sdk/core/v0.0.50
sdk/core/v0.0.51
sdk/core/v0.0.52
sdk/llms/v0.*
sdk/llms/v0.0.40
sdk/llms/v0.0.41
sdk/llms/v0.0.42
sdk/llms/v0.0.43
sdk/llms/v0.0.44
sdk/llms/v0.0.45
sdk/llms/v0.0.46
sdk/llms/v0.0.47
sdk/llms/v0.0.48
sdk/llms/v0.0.49
sdk/llms/v0.0.50
sdk/llms/v0.0.51
sdk/llms/v0.0.52
sdk/sdk/v0.*
sdk/sdk/v0.0.40
sdk/sdk/v0.0.41
sdk/sdk/v0.0.42
sdk/sdk/v0.0.43
sdk/sdk/v0.0.44
sdk/sdk/v0.0.45
sdk/sdk/v0.0.46
sdk/sdk/v0.0.47
sdk/sdk/v0.0.48
sdk/sdk/v0.0.49
sdk/sdk/v0.0.50
sdk/sdk/v0.0.51
sdk/sdk/v0.0.52
sdk/shared/v0.*
sdk/shared/v0.0.40
sdk/shared/v0.0.41
sdk/shared/v0.0.42
sdk/shared/v0.0.43
sdk/shared/v0.0.44
sdk/shared/v0.0.45
sdk/shared/v0.0.46
sdk/shared/v0.0.47
sdk/shared/v0.0.48
sdk/shared/v0.0.49
sdk/shared/v0.0.50
sdk/shared/v0.0.51
sdk/shared/v0.0.52
v0.*
v0.0.1-cli
v0.0.2-cli
v1.*
v1.0.4
v1.0.51
v1.0.6
v1.0.61
v1.0.62
v1.0.7
v1.0.71
v1.0.72
v1.0.73
v1.0.82
v1.0.84
v1.0.85
v1.0.9
v1.0.91
v1.0.92
v1.0.93
v1.0.94
v1.0.95
v1.0.98
v1.1.0
v1.1.1
v1.1.12
v1.1.13
v1.1.14
v1.1.15
v1.2.0
v1.3.0
v1.4.0
v1.5.0
v1.5.13
v1.5.19
v1.5.27
v1.5.4
v1.5.6
v1.6.0
v1.6.5
v1.7.0
v1.8.0
v1.9.0
v2.*
v2.0.0
v2.0.4-cli
v2.0.5-cli
v2.1.0
v2.11.0-cli
v2.12.0-cli
v2.13.0-cli
v2.14.0-cli
v2.15.0-cli
v2.16.0-cli
v2.17.0-cli
v2.18.0-cli
v2.2.0
v2.2.0-cli
v2.2.1-cli
v2.2.2-cli
v2.2.3-cli
v2.4.0-cli
v2.4.1-cli
v2.4.2-cli
v2.4.3-cli
v2.5.0-cli
v2.5.1-cli
v2.5.2-cli
v2.6.0-cli
v2.6.1-cli
v2.7.0-cli
v2.7.1-cli
v2.8.0-cli
v2.8.1-cli
v2.8.2-cli
v2.9.0-cli
v3.*
v3.0.0
v3.1.0
v3.10.0
v3.10.1
v3.11.0
v3.11.1
v3.12.0
v3.12.1
v3.12.2
v3.12.3
v3.13.1
v3.13.2
v3.13.3
v3.14.0
v3.15.0
v3.15.1
v3.15.2
v3.15.3
v3.15.4
v3.15.5
v3.16.1
v3.16.2
v3.16.3
v3.17.0
v3.17.1
v3.17.10
v3.17.11
v3.17.12
v3.17.13
v3.17.14
v3.17.14-a
v3.17.15
v3.17.16
v3.17.2
v3.17.3
v3.17.4
v3.17.5
v3.17.6
v3.17.7
v3.17.8
v3.17.9
v3.18.0
v3.18.1
v3.18.10
v3.18.11
v3.18.12
v3.18.13
v3.18.14
v3.18.15
v3.18.2
v3.18.3
v3.18.4
v3.18.5
v3.18.6
v3.18.9
v3.19.2
v3.19.3
v3.19.4
v3.19.5
v3.19.6
v3.19.7
v3.19.8
v3.2.0
v3.2.6
v3.2.7
v3.2.8
v3.2.9
v3.20.0
v3.20.1
v3.20.11
v3.20.12
v3.20.13
v3.20.2
v3.20.3
v3.20.4
v3.20.5
v3.20.6
v3.20.7
v3.20.8
v3.20.9
v3.21.0
v3.22.0
v3.23.0
v3.24.0
v3.25.0
v3.25.1
v3.25.2
v3.25.3
v3.26.0
v3.26.1
v3.26.2
v3.26.3
v3.26.4
v3.26.5
v3.26.6
v3.28.0
v3.28.1
v3.28.2
v3.28.3
v3.28.4
v3.29.0
v3.29.1
v3.29.2
v3.3.0
v3.30.0
v3.30.1
v3.30.2
v3.30.3
v3.31.0
v3.31.1
v3.32.0
v3.32.1
v3.32.2
v3.32.3
v3.32.4
v3.32.5
v3.32.6
v3.32.6-cli
v3.32.7
v3.33.0
v3.33.1
v3.34.0
v3.34.1
v3.35.0
v3.35.1
v3.36.0
v3.36.1
v3.37.0
v3.37.1
v3.38.0
v3.38.1
v3.38.3
v3.39.0
v3.39.1
v3.39.2
v3.4.0
v3.40.0
v3.41.0
v3.42.0
v3.43.0
v3.43.1
v3.44.0
v3.44.1
v3.44.2
v3.45.0
v3.46.0
v3.46.1
v3.47.0
v3.48.0
v3.49.0
v3.49.1
v3.5.0
v3.5.1
v3.50.0
v3.51.0
v3.52.0
v3.53.0
v3.53.1
v3.54.0
v3.55.0
v3.56.0
v3.57.0
v3.57.1
v3.58.0
v3.59.0
v3.6.0
v3.6.9
v3.61.0
v3.62.0
v3.63.0
v3.64.0
v3.65.0
v3.66.0
v3.67.0
v3.67.1
v3.68.0
v3.69.0
v3.7.0
v3.7.1
v3.70.0
v3.71.0
v3.72.0
v3.73.0
v3.74.0
v3.75.0
v3.76.0
v3.77.0
v3.78.0
v3.79.0
v3.8.0
v3.8.3
v3.8.4
v3.8.5
v3.8.6
v3.80.0
v3.81.0
v3.82.0
v3.83.0
v3.84.0
v3.85.0
v3.86.0
v3.86.1
v3.86.2
v3.87.0
v3.88.0
v3.88.1
v3.89.0
v3.89.1
v3.89.2
v3.9.0
v3.9.1
v3.9.2

Database specific

source
"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-59723.json"