CVE-2026-22812: OpenCode's Unauthenticated HTTP Server Allows Arbitrary Command Execution

January 13, 2026

OpenCode automatically starts an unauthenticated HTTP server that allows any local process—or any website via permissive CORS—to execute arbitrary shell commands with the user’s privileges.

References

github.com/advisories/GHSA-vxw4-wv6m-9hhh
github.com/anomalyco/opencode
github.com/anomalyco/opencode/commit/7d2d87fa2c44e32314015980bb4e59a9386e858c
github.com/anomalyco/opencode/security/advisories/GHSA-vxw4-wv6m-9hhh
nvd.nist.gov/vuln/detail/CVE-2026-22812

Code Behaviors & Features

Detect and mitigate CVE-2026-22812 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →