CVE-2026-22812
Published: 12 January 2026
Summary
CVE-2026-22812 is a high-severity Missing Authentication for Critical Function (CWE-306) vulnerability in Anoma Opencode. Its CVSS base score is 8.8 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploitation for Client Execution (T1203); ranked in the top 11.4% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
This vulnerability is AI-related — categorised as Other AI Platforms.
The strongest mitigations our analysis identified are NIST 800-53 AC-14 (Permitted Actions Without Identification or Authentication) and AC-3 (Access Enforcement).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Directly addresses the missing authentication for the critical shell execution function by identifying and restricting permitted actions without identification or authentication on the exposed HTTP endpoint.
Enforces approved access authorizations to prevent unauthorized local or remote (via CORS) execution of arbitrary shell commands through the unauthenticated HTTP server.
Restricts the system to least functionality by prohibiting or disabling the unnecessary unauthenticated HTTP server that exposes the dangerous shell command endpoint.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
The vulnerability exposes an unauthenticated network-accessible HTTP endpoint in the OpenCode client application that executes arbitrary shell commands, exploitable remotely via malicious websites using permissive CORS (UI:R), directly enabling T1203 (Exploitation for Client Execution), T1190 (Exploit Public-Facing Application), and T1059 (Command and Scripting Interpreter).
NVD Description
OpenCode is an open source AI coding agent. Prior to 1.0.216, OpenCode automatically starts an unauthenticated HTTP server that allows any local process (or any website via permissive CORS) to execute arbitrary shell commands with the user's privileges. This vulnerability…
more
is fixed in 1.0.216.
Deeper analysisAI
CVE-2026-22812 is a high-severity vulnerability (CVSS 8.8, CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H) affecting OpenCode, an open source AI coding agent, in versions prior to 1.0.216. The issue stems from OpenCode automatically launching an unauthenticated HTTP server upon startup. This server exposes an endpoint that allows any local process, or any remote website via permissive CORS policies, to execute arbitrary shell commands with the privileges of the user running OpenCode. It is associated with CWEs 306 (Missing Authentication for Critical Function), 749 (Exposed Dangerous Method or Function), and 942 (Permissive Cross-domain Policy with Untrusted Domains).
The attack scenario requires low complexity and no attacker privileges but relies on user interaction (UI:R). A remote attacker can exploit it over the network by crafting a malicious website that, when visited by a victim running a vulnerable OpenCode instance, leverages the permissive CORS to send requests triggering shell command execution. Local processes on the victim's machine can also abuse the unauthenticated server directly. Successful exploitation grants the attacker remote code execution (RCE) at user level, enabling high-impact compromise of confidentiality, integrity, and availability, such as data theft, persistence, or further lateral movement.
The GitHub security advisory (GHSA-vxw4-wv6m-9hhh) confirms the vulnerability was fixed in OpenCode version 1.0.216. Security practitioners should upgrade to this version or later and review local network exposure of OpenCode instances, disabling or firewalled the HTTP server if not needed. Additional mitigation includes browser protections against cross-origin requests and user education on running AI coding agents.
Details
- CWE(s)
Affected Products
AI Security AnalysisAI
- AI Category
- Other AI Platforms
- Risk Domain
- N/A
- OWASP Top 10 for LLMs 2025
- None mapped
- Classification Reason
- Matched keywords: ai