FKIE_CVE-2026-30313

Vulnerability from fkie_nvd - Published: 2026-03-30 21:17 - Updated: 2026-04-08 15:38
Severity
9.8 (Critical) - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Summary
DSAI-Cline's command auto-approval module contains a critical OS command injection vulnerability that renders its whitelist security mechanism completely ineffective. The system relies on string-based parsing to validate commands; while it intercepts dangerous operators such as ;, &&, ||, |, and command substitution patterns, it fails to account for raw newline characters embedded within the input. An attacker can construct a payload by embedding a literal newline between a whitelisted command and malicious code (e.g., git log malicious_command), forcing DSAI-Cline to misidentify it as a safe operation and automatically approve it. The underlying PowerShell interpreter treats the newline as a command separator, executing both commands sequentially, resulting in Remote Code Execution without any user interaction.
References
cve@mitre.orghttps://github.com/Secsys-FDU/LLM-Tool-Calling-CVEs/issues/9Third Party Advisory
cve@mitre.orghttps://github.com/necboy/cline-DSAIProduct
Impacted products
Vendor Product Version
cline cline *
To clipboard 

{
  "configurations": [
    {
      "nodes": [
        {
          "cpeMatch": [
            {
              "criteria": "cpe:2.3:a:cline:cline:*:*:*:*:*:*:*:*",
              "matchCriteriaId": "8F2D265D-27A6-4037-B0AC-C85E27D00E31",
              "versionEndIncluding": "1.1.2",
              "vulnerable": true
            }
          ],
          "negate": false,
          "operator": "OR"
        }
      ]
    }
  ],
  "cveTags": [],
  "descriptions": [
    {
      "lang": "en",
      "value": "DSAI-Cline\u0027s command auto-approval module contains a critical OS command injection vulnerability that renders its whitelist security mechanism completely ineffective. The system relies on string-based parsing to validate commands; while it intercepts dangerous operators such as ;, \u0026\u0026, ||, |, and command substitution patterns, it fails to account for raw newline characters embedded within the input. An attacker can construct a payload by embedding a literal newline between a whitelisted command and malicious code (e.g., git log malicious_command), forcing DSAI-Cline to misidentify it as a safe operation and automatically approve it. The underlying PowerShell interpreter treats the newline as a command separator, executing both commands sequentially, resulting in Remote Code Execution without any user interaction."
    },
    {
      "lang": "es",
      "value": "El m\u00f3dulo de autoaprobaci\u00f3n de comandos de DSAI-Cline contiene una vulnerabilidad cr\u00edtica de inyecci\u00f3n de comandos del sistema operativo que hace que su mecanismo de seguridad de lista blanca sea completamente ineficaz. El sistema se basa en el an\u00e1lisis de cadenas para validar comandos; si bien intercepta operadores peligrosos como ;, \u0026amp;\u0026amp;, ||, | y patrones de sustituci\u00f3n de comandos, no tiene en cuenta los caracteres de nueva l\u00ednea sin procesar incrustados en la entrada. Un atacante puede construir una carga \u00fatil incrustando una nueva l\u00ednea literal entre un comando de lista blanca y c\u00f3digo malicioso (por ejemplo, git log malicious_command), lo que obliga a DSAI-Cline a identificarlo err\u00f3neamente como una operaci\u00f3n segura y aprobarlo autom\u00e1ticamente. El int\u00e9rprete de PowerShell subyacente trata la nueva l\u00ednea como un separador de comandos, ejecutando ambos comandos secuencialmente, lo que resulta en ejecuci\u00f3n remota de c\u00f3digo sin ninguna interacci\u00f3n del usuario."
    }
  ],
  "id": "CVE-2026-30313",
  "lastModified": "2026-04-08T15:38:06.820",
  "metrics": {
    "cvssMetricV31": [
      {
        "cvssData": {
          "attackComplexity": "LOW",
          "attackVector": "NETWORK",
          "availabilityImpact": "HIGH",
          "baseScore": 9.8,
          "baseSeverity": "CRITICAL",
          "confidentialityImpact": "HIGH",
          "integrityImpact": "HIGH",
          "privilegesRequired": "NONE",
          "scope": "UNCHANGED",
          "userInteraction": "NONE",
          "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
          "version": "3.1"
        },
        "exploitabilityScore": 3.9,
        "impactScore": 5.9,
        "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
        "type": "Secondary"
      }
    ]
  },
  "published": "2026-03-30T21:17:09.230",
  "references": [
    {
      "source": "cve@mitre.org",
      "tags": [
        "Third Party Advisory"
      ],
      "url": "https://github.com/Secsys-FDU/LLM-Tool-Calling-CVEs/issues/9"
    },
    {
      "source": "cve@mitre.org",
      "tags": [
        "Product"
      ],
      "url": "https://github.com/necboy/cline-DSAI"
    }
  ],
  "sourceIdentifier": "cve@mitre.org",
  "vulnStatus": "Analyzed",
  "weaknesses": [
    {
      "description": [
        {
          "lang": "en",
          "value": "CWE-94"
        }
      ],
      "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
      "type": "Secondary"
    }
  ]
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.





Forecast uses a logistic model when the trend is rising, or an exponential decay model when the trend is falling. Fitted via linearized least squares.

Sightings

Author Source Type Date Other

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.


Detection rules are retrieved from Rulezet.