CVE-2026-22812 | THREATINT

Description

OpenCode is an open source AI coding agent. Prior to 1.0.216, OpenCode automatically starts an unauthenticated HTTP server that allows any local process (or any website via permissive CORS) to execute arbitrary shell commands with the user's privileges. This vulnerability is fixed in 1.0.216.

PUBLISHED Reserved 2026-01-09 | Published 2026-01-12 | Updated 2026-01-13 | Assigner GitHub_M

HIGH: 8.8CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

Problem types

CWE-306: Missing Authentication for Critical Function

CWE-749: Exposed Dangerous Method or Function

CWE-942: Permissive Cross-domain Policy with Untrusted Domains

Product status

< 1.0.216

affected

References

github.com/...encode/security/advisories/GHSA-vxw4-wv6m-9hhh exploit

github.com/...encode/security/advisories/GHSA-vxw4-wv6m-9hhh

cve.org (CVE-2026-22812)

nvd.nist.gov (CVE-2026-22812)

Download JSON