Product Overview – OpenCode
OpenCode is a locally deployed, open-source AI coding assistant designed for developers. It operates through a command-line interface and optionally exposes a browser-based web UI. To enable interaction between the UI and the agent, OpenCode starts a local HTTP server bound to localhost.
Because OpenCode can execute shell commands, manage terminals, and access the local file system, any weakness in its HTTP server or UI layer directly exposes the host system. The vulnerabilities below exploit unsafe defaults in both areas.
Vulnerability Summary
The following two vulnerabilities affect the same product (OpenCode) but different components.
They can be exploited independently or chained together for full host compromise.
CVE Comparison Table
| Field | CVE-2026-22812 | CVE-2026-22813 |
|---|---|---|
| CVE ID | CVE-2026-22812 | CVE-2026-22813 |
| Vulnerability name | Unauthenticated local HTTP server → Command execution | HTML injection → JavaScript execution (XSS) |
| Affected component | OpenCode local HTTP API | OpenCode Web UI (Markdown renderer) |
| Affected versions | OpenCode < 1.0.216 | OpenCode < 1.1.10 |
| Attack vector | Local / browser-assisted | Browser-based |
| Authentication required | No | No |
| User interaction | Not required (local) / minimal | Required (viewing malicious content) |
| Privilege level gained | Same as OpenCode user | Same as OpenCode user |
| CVSS version | CVSS v3.1 | CVSS v4.0 |
| CVSS base score | 8.8 | 9.4 |
| Severity | High | Critical |
| Exploit availability | Proof-of-concept available (educational) | Proof-of-concept available (educational) |
| Chaining potential | Yes | Yes (can trigger CVE-2026-22812) |
CVE-2026-22812 – Unauthenticated HTTP Server → Command Execution
Technical Description
OpenCode automatically launches a local HTTP server to support UI and automation features.
In vulnerable versions:
- The server exposed sensitive endpoints without authentication
- Requests from any local process or browser context were accepted
- CORS rules allowed cross-origin browser requests
- Certain endpoints could spawn PTY sessions or execute shell commands
This effectively turned the OpenCode service into an unauthenticated local command execution API.
Exploitation Scenarios
Local attack
A malicious local program can directly send HTTP requests to OpenCode’s API and trigger command execution without user consent.
Browser-assisted attack
A malicious website opened in a browser can silently send requests to http://localhost:<opencode_port> and cause commands to execute due to permissive CORS behavior.
Impact
- Arbitrary command execution
- Access to developer files and source code
- Theft of environment variables, tokens, and credentials
- Installation of persistence mechanisms
- Full compromise of the developer workstation
CVE-2026-22813 – HTML Injection → JavaScript Execution (XSS)
Technical Description
The OpenCode web UI renders Markdown content generated by the AI or loaded from external sources.
In vulnerable versions:
- Raw HTML was rendered without sanitization
- No effective content security restrictions were enforced
- Injected
<script>blocks executed in the UI context
Because the UI shares the same origin as the local API, injected JavaScript can directly call OpenCode’s internal endpoints.
Exploitation Flow
- Attacker prepares a malicious chat/session containing injected HTML/JavaScript
- Victim loads the session in the OpenCode web UI
- JavaScript executes in the trusted
localhostorigin - JavaScript calls internal API endpoints (e.g., PTY creation)
- Commands execute on the host system
This vulnerability is especially dangerous when combined with CVE-2026-22812.
Impact
- Arbitrary JavaScript execution
- Access to local OpenCode APIs
- Execution of operating-system commands
- Complete compromise of the OpenCode runtime
Detection and Monitoring Guidance
Key Indicators of Exploitation
Process-level indicators
- OpenCode spawning shells (
sh,bash,cmd.exe,powershell) - Unexpected child processes launched by OpenCode
- Command execution immediately after UI interaction
Network-level indicators
- HTTP POST requests to
localhostOpenCode ports - Browser user-agents accessing internal OpenCode API paths
- Loopback traffic involving terminal creation endpoints
Application-level indicators
- Requests to
/pty/or similar execution endpoints - OpenCode UI loading content from non-local sources
- Use of URL parameters that override session sources
Example Detection Rules (Conceptual)
1. Process Execution Rule
Trigger an alert when OpenCode spawns any shell or scripting interpreter.
IF parent_process == "opencode"
AND child_process IN ("cmd.exe", "powershell.exe", "bash", "sh", "python")
THEN alert "Possible OpenCode command execution abuse"2. Local API Abuse Rule
Detect browser-initiated API calls to OpenCode execution endpoints.
IF http_destination == "localhost"
AND destination_port == OpenCode_port
AND request_path CONTAINS "/pty"
AND user_agent CONTAINS browser_identifier
THEN alert "Browser-driven OpenCode API execution attempt"3. UI Injection Detection Rule
Detect loading of OpenCode UI sessions from unexpected external sources.
IF request_url CONTAINS "localhost"
AND query_parameter == "url"
AND parameter_value STARTS WITH "http"
THEN alert "External content loaded into OpenCode UI"Proof of Concept (Educational Use Only)
Public proof-of-concept demonstrations exist for both vulnerabilities.
They show:
- JavaScript injection into the OpenCode UI
- API calls to command execution endpoints
- Full exploitation chains on vulnerable versions
Remediation and Patch Information
Required Action
Immediate upgrade is strongly recommended.
| Vulnerability | Fixed in Version |
|---|---|
| CVE-2026-22812 | OpenCode 1.0.216 |
| CVE-2026-22813 | OpenCode 1.1.10 |
Official Patch / Upgrade Link
OpenCode – Official Releases Page (GitHub)
https://github.com/opencode-ai/opencode/releases
Final Takeaway
These vulnerabilities demonstrate how unsafe local APIs combined with browser-accessible interfaces can bypass traditional security assumptions.
In real-world environments, exploitation could lead to:
- Developer workstation compromise
- Source code and credential theft
- Supply-chain exposure
Organizations using OpenCode should treat these issues as high priority and ensure all instances are upgraded and monitored.
