CVE-2026-30312
Published: 31 March 2026
Description
DSAI-Cline's command auto-approval module contains a critical OS command injection vulnerability that renders its whitelist security mechanism completely ineffective. The system relies on string-based parsing to validate commands; while it intercepts dangerous operators such as ;, &&, ||, |, and…
more
command substitution patterns, it fails to account for raw newline characters embedded within the input. An attacker can construct a payload by embedding a literal newline between a whitelisted command and malicious code (e.g., git log malicious_command), forcing DSAI-Cline to misidentify it as a safe operation and automatically approve it. The underlying PowerShell interpreter treats the newline as a command separator, executing both commands sequentially, resulting in Remote Code Execution without any user interaction.
Mitigating Controls (NIST 800-53 r5)AI
Directly mandates validation of command inputs to prevent OS command injection via undetected raw newline characters bypassing the whitelist.
Requires timely remediation of the specific flaw in string-based parsing that fails to block newline-separated malicious commands.
Generates audit records for command auto-approval and PowerShell execution events to identify sequential execution of whitelisted and injected code.
Security SummaryAI
CVE-2026-30312 is a critical OS command injection vulnerability (CWE-78) in the command auto-approval module of DSAI-Cline, with a CVSS v3.1 base score of 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H). The module uses string-based parsing to enforce a whitelist, blocking dangerous operators like ;, &&, ||, |, and command substitution patterns. However, it fails to detect raw newline characters embedded in inputs, allowing attackers to bypass validation entirely. When processed by the underlying PowerShell interpreter, the newline acts as a command separator, enabling sequential execution of both a whitelisted command and injected malicious code.
A remote attacker with network access to DSAI-Cline can exploit this vulnerability without authentication or user interaction by crafting a payload that inserts a literal newline between a whitelisted command and arbitrary malicious code, such as "git log\nmalicious_command". The auto-approval mechanism misidentifies the input as safe due to the whitelisted prefix, approving it automatically. PowerShell then executes the full payload, resulting in remote code execution with high confidentiality, integrity, and availability impacts.
Advisories and further details are available in the referenced GitHub repositories: https://github.com/Secsys-FDU/LLM-Tool-Calling-CVEs/issues/9 and https://github.com/necboy/cline-DSAI. These sources document the issue in the context of LLM tool-calling vulnerabilities.
Details
- CWE(s)
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
The vulnerability enables exploitation of a public-facing application (T1190) via newline-based command injection, directly facilitating arbitrary PowerShell command execution (T1059.001).