Cyber Posture

CVE-2026-30313

Critical

Published: 30 March 2026

Published
30 March 2026
Modified
08 April 2026
KEV Added
Patch
CVSS Score 9.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.0085 74.9th percentile
Risk Priority 20 60% EPSS · 20% KEV · 20% CVSS

Description

DSAI-Cline's command auto-approval module contains a critical OS command injection vulnerability that renders its whitelist security mechanism completely ineffective. The system relies on string-based parsing to validate commands; while it intercepts dangerous operators such as ;, &&, ||, |, and…

more

command substitution patterns, it fails to account for raw newline characters embedded within the input. An attacker can construct a payload by embedding a literal newline between a whitelisted command and malicious code (e.g., git log malicious_command), forcing DSAI-Cline to misidentify it as a safe operation and automatically approve it. The underlying PowerShell interpreter treats the newline as a command separator, executing both commands sequentially, resulting in Remote Code Execution without any user interaction.

Mitigating Controls (NIST 800-53 r5)AI

SI-10 Information Input Validation good match
prevent

Directly mandates validating command inputs to the auto-approval module, preventing injection attacks exploiting unhandled newline characters.

SI-2 Flaw Remediation good match
preventrecover

Requires timely remediation of the specific command injection flaw through identification, patching, and verification of updates.

AC-6 Least Privilege partial match
prevent

Enforces least privilege on the PowerShell process executing approved commands, limiting the scope and impact of injected malicious code.

Security SummaryAI

CVE-2026-30313 is a critical OS command injection vulnerability in DSAI-Cline's command auto-approval module. The flaw stems from the module's reliance on string-based parsing for whitelist validation, which blocks certain dangerous operators like ;, &&, ||, |, and command substitution patterns but fails to handle raw newline characters embedded in input. This allows attackers to insert a literal newline between a whitelisted command and malicious code, such as "git log" followed by a newline and the payload, causing the system to misparse it as safe and auto-approve execution. The underlying PowerShell interpreter interprets the newline as a command separator, executing both parts sequentially.

The vulnerability has a CVSS v3.1 base score of 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H) and is classified under CWE-94 (Improper Control of Generation of Code). It can be exploited remotely by unauthenticated attackers with low complexity and no user interaction, leading to full remote code execution on the affected system.

Further details, advisories, and potential patches are documented in the referenced repositories: https://github.com/Secsys-FDU/LLM-Tool-Calling-CVEs/issues/9 and https://github.com/necboy/cline-DSAI. The vulnerability was published on 2026-03-30.

Details

CWE(s)
CWE-94

Affected Products

cline
cline
≤ 1.1.2

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
attack.mitre.org →
T1059.001 PowerShell Execution
Adversaries may abuse PowerShell commands and scripts for execution.
attack.mitre.org →
Why these techniques?

The vulnerability enables remote exploitation of a public-facing application (T1190) via OS command injection in a PowerShell interpreter (T1059.001), leading to arbitrary code execution.

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

References