CVE-2026-22812
Unauthenticated Remote Code Execution in OpenCode HTTP Server
Publication date: 2026-01-12
Last updated on: 2026-01-12
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Affected Vendors & Products
| Vendor | Product | Version |
|---|---|---|
| anomalyco | opencode-ai | to 1.0.216 (exc) |
| anomalyco | opencode | to 1.0.216 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-306 | The product does not perform any authentication for functionality that requires a provable user identity or consumes a significant amount of resources. |
| CWE-749 | The product provides an Applications Programming Interface (API) or similar interface for interaction with external actors, but the interface includes a dangerous method or function that is not properly restricted. |
| CWE-942 | The product uses a web-client protection mechanism such as a Content Security Policy (CSP) or cross-domain policy file, but the policy includes untrusted domains with which the web client is allowed to communicate. |
Attack-Flow Graph
AI Powered Q&A
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
The vulnerability allows unauthenticated remote code execution with the user's privileges, potentially leading to full system compromise and unauthorized access to sensitive data. This could result in violations of data protection regulations such as GDPR and HIPAA, which require strict controls on access to personal and sensitive information. The exposure of critical functions without authentication and permissive CORS policies increases the risk of data breaches and unauthorized data processing, thereby negatively impacting compliance with these standards. [1]
Can you explain this vulnerability to me?
CVE-2026-22812 is a critical vulnerability in the OpenCode AI coding agent (versions prior to 1.0.216) where it automatically starts an unauthenticated HTTP server that listens on a default port. This server exposes several critical endpoints without any authentication or access control, allowing any local process or malicious website (via permissive CORS settings) to execute arbitrary shell commands with the user's privileges. This includes creating interactive terminal sessions and reading arbitrary files. The vulnerability enables remote attackers to execute commands as the user running OpenCode, either locally or through a browser-based attack. [1]
How can this vulnerability impact me? :
This vulnerability can lead to full system compromise because attackers can execute arbitrary shell commands with the same privileges as the user running OpenCode. Local malicious processes or npm packages can exploit it, as well as remote attackers via malicious websites exploiting permissive CORS settings. This can result in unauthorized file access, data modification, or disruption of system availability. If OpenCode is started with the --mdns flag, the attack surface expands to the entire local network, increasing risk. [1]
How can this vulnerability be detected on my network or system? Can you suggest some commands?
You can detect this vulnerability by checking if the OpenCode application is running an unauthenticated HTTP server on its default port (4096+). You can use network scanning tools or commands like `netstat -tuln | grep 4096` or `ss -tuln | grep 4096` to see if the server is listening. Additionally, you can try sending HTTP requests to endpoints such as `POST /session/:id/shell` or `POST /pty` on localhost to test if arbitrary command execution is possible without authentication. For example, using curl: `curl -X POST http://localhost:4096/session/test/shell -d 'command=echo PWNED > /tmp/pwned.txt'` to check if the command executes. [1]
What immediate steps should I take to mitigate this vulnerability?
The immediate mitigation step is to upgrade OpenCode to version 1.0.216 or later, where this vulnerability is fixed. Until then, avoid running OpenCode on untrusted networks, do not use the `--mdns` flag which exposes the server to all interfaces, and restrict network access to the default port (4096+) to trusted users only. Additionally, consider stopping the OpenCode service if possible until patched. [1]