Open Source AI Coding Agent Vulnerability in Anomaly Co's OpenCode

CVE-2026-22812

What is CVE-2026-22812?

CVE-2026-22812 is a vulnerability identified within Anomaly Co's open-source AI coding agent, OpenCode, which is designed to assist developers in generating code snippets and automating coding tasks. Prior to version 1.0.216, users experienced a critical flaw where the software would inadvertently start an unauthenticated HTTP server. This server allows local processes or websites—via permissive Cross-Origin Resource Sharing (CORS)—to execute arbitrary shell commands with the user's privileges. Such a vulnerability presents significant risks, as it can lead to unauthorized command execution and complete system compromise, ultimately jeopardizing the integrity and security of affected systems.

Potential impact of CVE-2026-22812

1. Unauthorized Command Execution: Attackers can leverage this vulnerability to execute arbitrary commands on a system, allowing them to manipulate files, deploy malware, or maintain persistent access.

2. Data Breaches: The ability to run unauthorized commands can lead to unauthorized access to sensitive data stored on affected systems, thereby resulting in significant data breaches that could impact privacy and compliance obligations.

3. System Compromise: The flaw may enable threat actors to take full control over the affected systems, creating opportunities for further exploits, data manipulation, or the introduction of ransomware into the organizational infrastructure, risking extensive downtime and financial losses.

References