CVE-2026-30312
Published: 31 March 2026
Summary
CVE-2026-30312 is a critical-severity OS Command Injection (CWE-78) vulnerability. Its CVSS base score is 9.8 (Critical).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 24.9% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Directly mandates validation of command inputs to prevent OS command injection via undetected raw newline characters bypassing the whitelist.
Requires timely remediation of the specific flaw in string-based parsing that fails to block newline-separated malicious commands.
Generates audit records for command auto-approval and PowerShell execution events to identify sequential execution of whitelisted and injected code.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
The vulnerability enables exploitation of a public-facing application (T1190) via newline-based command injection, directly facilitating arbitrary PowerShell command execution (T1059.001).
NVD Description
DSAI-Cline's command auto-approval module contains a critical OS command injection vulnerability that renders its whitelist security mechanism completely ineffective. The system relies on string-based parsing to validate commands; while it intercepts dangerous operators such as ;, &&, ||, |, and…
more
command substitution patterns, it fails to account for raw newline characters embedded within the input. An attacker can construct a payload by embedding a literal newline between a whitelisted command and malicious code (e.g., git log malicious_command), forcing DSAI-Cline to misidentify it as a safe operation and automatically approve it. The underlying PowerShell interpreter treats the newline as a command separator, executing both commands sequentially, resulting in Remote Code Execution without any user interaction.
Deeper analysisAI
CVE-2026-30312 is a critical OS command injection vulnerability (CWE-78) in the command auto-approval module of DSAI-Cline, with a CVSS v3.1 base score of 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H). The module uses string-based parsing to enforce a whitelist, blocking dangerous operators like ;, &&, ||, |, and command substitution patterns. However, it fails to detect raw newline characters embedded in inputs, allowing attackers to bypass validation entirely. When processed by the underlying PowerShell interpreter, the newline acts as a command separator, enabling sequential execution of both a whitelisted command and injected malicious code.
A remote attacker with network access to DSAI-Cline can exploit this vulnerability without authentication or user interaction by crafting a payload that inserts a literal newline between a whitelisted command and arbitrary malicious code, such as "git log\nmalicious_command". The auto-approval mechanism misidentifies the input as safe due to the whitelisted prefix, approving it automatically. PowerShell then executes the full payload, resulting in remote code execution with high confidentiality, integrity, and availability impacts.
Advisories and further details are available in the referenced GitHub repositories: https://github.com/Secsys-FDU/LLM-Tool-Calling-CVEs/issues/9 and https://github.com/necboy/cline-DSAI. These sources document the issue in the context of LLM tool-calling vulnerabilities.
Details
- CWE(s)