CVE-2026-30313
Published: 30 March 2026
Summary
CVE-2026-30313 is a critical-severity Code Injection (CWE-94) vulnerability in Cline Cline. Its CVSS base score is 9.8 (Critical).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 37.4% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).
Deeper analysis
CVE-2026-30313 is a critical OS command injection vulnerability in DSAI-Cline's command auto-approval module. The flaw stems from the module's reliance on string-based parsing for whitelist validation, which blocks certain dangerous operators like ;, &&, ||, |, and command substitution patterns but fails to handle raw newline characters embedded in input. This allows attackers to insert a literal newline between a whitelisted command and malicious code, such as "git log" followed by a newline and the payload, causing the system to misparse it as safe and auto-approve execution. The underlying PowerShell interpreter interprets the newline as a command separator, executing both parts sequentially.
The vulnerability has a CVSS v3.1 base score of 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H) and is classified under CWE-94 (Improper Control of Generation of Code). It can be exploited remotely by unauthenticated attackers with low complexity and no user interaction, leading to full remote code execution on the affected system.
Further details, advisories, and potential patches are documented in the referenced repositories: https://github.com/Secsys-FDU/LLM-Tool-Calling-CVEs/issues/9 and https://github.com/necboy/cline-DSAI. The vulnerability was published on 2026-03-30.
OWASP Top 10 for Web (2025)
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2026-17205
Vulnerability details
DSAI-Cline's command auto-approval module contains a critical OS command injection vulnerability that renders its whitelist security mechanism completely ineffective. The system relies on string-based parsing to validate commands; while it intercepts dangerous operators such as ;, &&, ||, |, and…
more
command substitution patterns, it fails to account for raw newline characters embedded within the input. An attacker can construct a payload by embedding a literal newline between a whitelisted command and malicious code (e.g., git log malicious_command), forcing DSAI-Cline to misidentify it as a safe operation and automatically approve it. The underlying PowerShell interpreter treats the newline as a command separator, executing both commands sequentially, resulting in Remote Code Execution without any user interaction.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
The vulnerability enables remote exploitation of a public-facing application (T1190) via OS command injection in a PowerShell interpreter (T1059.001), leading to arbitrary code execution.
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Directly mandates validating command inputs to the auto-approval module, preventing injection attacks exploiting unhandled newline characters.
Requires timely remediation of the specific command injection flaw through identification, patching, and verification of updates.
Enforces least privilege on the PowerShell process executing approved commands, limiting the scope and impact of injected malicious code.