CVE-2026-22812

CVE-2026-22812 is a high-severity vulnerability (CVSS 8.8, CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H) affecting OpenCode, an open source AI coding agent, in versions prior to 1.0.216. The issue stems from OpenCode automatically launching an unauthenticated HTTP server upon startup. This server exposes an endpoint that allows any local process, or any remote website via permissive CORS policies, to execute arbitrary shell commands with the privileges of the user running OpenCode. It is associated with CWEs 306 (Missing Authentication for Critical Function), 749 (Exposed Dangerous Method or Function), and 942 (Permissive Cross-domain Policy with Untrusted Domains).

The attack scenario requires low complexity and no attacker privileges but relies on user interaction (UI:R). A remote attacker can exploit it over the network by crafting a malicious website that, when visited by a victim running a vulnerable OpenCode instance, leverages the permissive CORS to send requests triggering shell command execution. Local processes on the victim's machine can also abuse the unauthenticated server directly. Successful exploitation grants the attacker remote code execution (RCE) at user level, enabling high-impact compromise of confidentiality, integrity, and availability, such as data theft, persistence, or further lateral movement.

The GitHub security advisory (GHSA-vxw4-wv6m-9hhh) confirms the vulnerability was fixed in OpenCode version 1.0.216. Security practitioners should upgrade to this version or later and review local network exposure of OpenCode instances, disabling or firewalled the HTTP server if not needed. Additional mitigation includes browser protections against cross-origin requests and user education on running AI coding agents.