{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-22812", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2026-01-09T22:50:10.288Z", "datePublished": "2026-01-12T22:49:18.325Z", "dateUpdated": "2026-01-13T19:07:37.056Z"}, "containers": {"cna": {"title": "OpenCode's Unauthenticated HTTP Server Allows Arbitrary Command Execution", "problemTypes": [{"descriptions": [{"cweId": "CWE-306", "lang": "en", "description": "CWE-306: Missing Authentication for Critical Function", "type": "CWE"}]}, {"descriptions": [{"cweId": "CWE-749", "lang": "en", "description": "CWE-749: Exposed Dangerous Method or Function", "type": "CWE"}]}, {"descriptions": [{"cweId": "CWE-942", "lang": "en", "description": "CWE-942: Permissive Cross-domain Policy with Untrusted Domains", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.8, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "version": "3.1"}}], "references": [{"name": "https://github.com/anomalyco/opencode/security/advisories/GHSA-vxw4-wv6m-9hhh", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/anomalyco/opencode/security/advisories/GHSA-vxw4-wv6m-9hhh"}], "affected": [{"vendor": "anomalyco", "product": "opencode", "versions": [{"version": "< 1.0.216", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-01-12T22:49:18.325Z"}, "descriptions": [{"lang": "en", "value": "OpenCode is an open source AI coding agent. Prior to 1.0.216, OpenCode automatically starts an unauthenticated HTTP server that allows any local process (or any website via permissive CORS) to execute arbitrary shell commands with the user's privileges. This vulnerability is fixed in 1.0.216."}], "source": {"advisory": "GHSA-vxw4-wv6m-9hhh", "discovery": "UNKNOWN"}}, "adp": [{"references": [{"url": "https://github.com/anomalyco/opencode/security/advisories/GHSA-vxw4-wv6m-9hhh", "tags": ["exploit"]}], "metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-01-13T14:13:37.474420Z", "id": "CVE-2026-22812", "options": [{"Exploitation": "poc"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-01-13T19:07:37.056Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-22812", "role": "CISA Coordinator", "options": [{"Exploitation": "poc"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "version": "2.0.3", "timestamp": "2026-01-13T14:13:37.474420Z"}}}], "references": [{"url": "https://github.com/anomalyco/opencode/security/advisories/GHSA-vxw4-wv6m-9hhh", "tags": ["exploit"]}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-01-13T14:13:39.967Z"}}], "cna": {"title": "OpenCode's Unauthenticated HTTP Server Allows Arbitrary Command Execution", "source": {"advisory": "GHSA-vxw4-wv6m-9hhh", "discovery": "UNKNOWN"}, "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 8.8, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "REQUIRED", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}}], "affected": [{"vendor": "anomalyco", "product": "opencode", "versions": [{"status": "affected", "version": "< 1.0.216"}]}], "references": [{"url": "https://github.com/anomalyco/opencode/security/advisories/GHSA-vxw4-wv6m-9hhh", "name": "https://github.com/anomalyco/opencode/security/advisories/GHSA-vxw4-wv6m-9hhh", "tags": ["x_refsource_CONFIRM"]}], "descriptions": [{"lang": "en", "value": "OpenCode is an open source AI coding agent. Prior to 1.0.216, OpenCode automatically starts an unauthenticated HTTP server that allows any local process (or any website via permissive CORS) to execute arbitrary shell commands with the user's privileges. This vulnerability is fixed in 1.0.216."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-306", "description": "CWE-306: Missing Authentication for Critical Function"}]}, {"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-749", "description": "CWE-749: Exposed Dangerous Method or Function"}]}, {"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-942", "description": "CWE-942: Permissive Cross-domain Policy with Untrusted Domains"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-01-12T22:49:18.325Z"}}}, "cveMetadata": {"cveId": "CVE-2026-22812", "state": "PUBLISHED", "dateUpdated": "2026-01-13T19:07:37.056Z", "dateReserved": "2026-01-09T22:50:10.288Z", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "datePublished": "2026-01-12T22:49:18.325Z", "assignerShortName": "GitHub_M"}, "dataVersion": "5.2"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:anoma:opencode:*:*:*:*:*:-:*:*", "matchCriteriaId": "168EE682-3321-4383-8874-2C9D8B949A2F", "versionEndExcluding": "1.0.216", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "OpenCode is an open source AI coding agent. Prior to 1.0.216, OpenCode automatically starts an unauthenticated HTTP server that allows any local process (or any website via permissive CORS) to execute arbitrary shell commands with the user's privileges. This vulnerability is fixed in 1.0.216."}], "id": "CVE-2026-22812", "lastModified": "2026-01-21T15:14:59.607", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.8, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 5.9, "source": "security-advisories@github.com", "type": "Secondary"}]}, "published": "2026-01-12T23:15:53.370", "references": [{"source": "security-advisories@github.com", "tags": ["Vendor Advisory", "Exploit"], "url": "https://github.com/anomalyco/opencode/security/advisories/GHSA-vxw4-wv6m-9hhh"}, {"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "tags": ["Vendor Advisory", "Exploit"], "url": "https://github.com/anomalyco/opencode/security/advisories/GHSA-vxw4-wv6m-9hhh"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-306"}, {"lang": "en", "value": "CWE-749"}, {"lang": "en", "value": "CWE-942"}], "source": "security-advisories@github.com", "type": "Secondary"}]}

{}