CVE 8.8 HIGH

OpenCode’s Unauthenticated HTTP Server Allows Arbitrary Command Execution_CVE-2026-22812

January 12, 2026 invoker category_cve

8.8 / 10

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

Description

OpenCode is an open source AI coding agent. Prior to 1.0.216, OpenCode automatically starts an unauthenticated HTTP server that allows any local process (or any website via permissive CORS) to execute arbitrary shell commands with the user's privileges. This vulnerability is fixed in 1.0.216.

AI Analysis

Unauthenticated HTTP server allows arbitrary command execution

Basic Information

ID CVE-2026-22812

Source GitHub_M

Published Jan 12, 2026 at 22:49

Affected Product

Vendor anomalyco

Product opencode

Version < 1.0.216

Affected Versions anomalyco opencode < 1.0.216

CWE Classification

CWE-306 CWE-749 CWE-942

AI Assessment

AI Score 8.8 / 10

AI Severity High

Vendor Anomaly

Product OpenCode

Version < 1.0.216

References

github.com /anomalyco/opencode/security/advisories/GHSA-vxw4-wv6m-9hhh

{
    "lastseen": "",
    "description": "OpenCode is an open source AI coding agent. Prior to 1.0.216, OpenCode automatically starts an unauthenticated HTTP server that allows any local process (or any website via permissive CORS) to execute arbitrary shell commands with the user's privileges. This vulnerability is fixed in 1.0.216.",
    "published": "2026-01-12T22:49:18.325Z",
    "modified": "2026-01-12T22:49:18.325Z",
    "type": "cve",
    "title": "OpenCode's Unauthenticated HTTP Server Allows Arbitrary Command Execution",
    "source": "GitHub_M",
    "references": "https://github.com/anomalyco/opencode/security/advisories/GHSA-vxw4-wv6m-9hhh",
    "id": "CVE-2026-22812",
    "bulletinFamily": "",
    "cwe": [
        "CWE-306",
        "CWE-749",
        "CWE-942"
    ],
    "cvelist": null,
    "sourceData": "anomalyco opencode < 1.0.216",
    "sourceHref": "",
    "cvss": {
        "score": 8.8,
        "severity": "HIGH",
        "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
        "version": "3.1"
    },
    "cvss2": [],
    "cvss3": {
        "version": "",
        "vectorString": "",
        "baseScore": 0,
        "baseSeverity": "",
        "attackVector": "",
        "attackComplexity": "",
        "privilegesRequired": "",
        "userInteraction": "",
        "scope": "",
        "confidentialityImpact": "",
        "integrityImpact": "",
        "availabilityImpact": "",
        "cvssV3": {
            "version": "",
            "vectorString": "",
            "baseScore": 0,
            "baseSeverity": "",
            "attackVector": "",
            "attackComplexity": "",
            "privilegesRequired": "",
            "userInteraction": "",
            "scope": "",
            "confidentialityImpact": "",
            "integrityImpact": "",
            "availabilityImpact": ""
        }
    },
    "href": "",
    "category_name": "CVE",
    "post_link": "",
    "product": "opencode",
    "version": "< 1.0.216",
    "vendor": "anomalyco",
    "ai_description": "Unauthenticated HTTP server allows arbitrary command execution",
    "ai_severity": "High",
    "ai_vendor": "Anomaly",
    "ai_product": "OpenCode",
    "ai_version": "< 1.0.216",
    "ai_score": 8.8
}

💭 Join the Security Discussion ❌ Cancel Reply