CVE-2026-22812 is a critical vulnerability identified in anomalyco's OpenCode, an open-source AI coding agent. Versions prior to 1.0.216 automatically launch an HTTP server without any authentication controls. This server listens locally but is accessible to any local process and, due to overly permissive Cross-Origin Resource Sharing (CORS) policies, can be accessed by any website, effectively exposing the server to remote exploitation. The vulnerability allows attackers to execute arbitrary shell commands with the privileges of the user running OpenCode. This means an attacker can fully compromise the host system, leading to data theft, system manipulation, or denial of service. The vulnerability is classified under CWE-306 (Missing Authentication for Critical Function), CWE-749 (Exposed Dangerous Method or Function), and CWE-942 (Permissive Cross-domain Whitelist). The CVSS v3.1 base score is 8.8, indicating high severity with network attack vector, low attack complexity, no privileges required, but requiring user interaction (likely visiting a malicious website). The vulnerability was publicly disclosed on January 12, 2026, and fixed in version 1.0.216. No known exploits have been reported in the wild yet, but the conditions for exploitation are straightforward, especially in environments where users might visit untrusted websites or run untrusted local processes. The flaw poses a significant risk to any environment running vulnerable OpenCode versions, particularly in development or production AI coding environments.

For European organizations, the impact of this vulnerability is substantial. Organizations using OpenCode for AI development or automation could face full system compromise if exploited. Confidential data, including proprietary code and intellectual property, could be stolen or altered. Integrity of development environments could be undermined, leading to insertion of malicious code or backdoors. Availability could be disrupted by attackers executing destructive commands or ransomware. The vulnerability's exploitation requires no authentication and can be triggered remotely via a malicious website due to permissive CORS, increasing the attack surface. This is particularly concerning for organizations with developers or AI researchers who might visit untrusted sites or run local scripts. The risk extends to cloud-based development environments hosted in Europe if they use vulnerable OpenCode versions. The potential for lateral movement within networks also exists if attackers gain initial foothold via this vulnerability. Overall, the threat could lead to significant operational disruption, data breaches, and reputational damage.

1. Immediate upgrade of OpenCode to version 1.0.216 or later, where the vulnerability is fixed. 2. Restrict network access to the OpenCode HTTP server by implementing local firewall rules or network segmentation to prevent unauthorized local or remote access. 3. Harden CORS policies to allow only trusted origins, eliminating permissive cross-origin access. 4. Educate developers and users to avoid visiting untrusted websites or running untrusted local processes while using OpenCode. 5. Monitor network and system logs for unusual HTTP server activity or unexpected shell command executions. 6. Employ endpoint detection and response (EDR) tools to detect anomalous process behavior indicative of exploitation. 7. For cloud environments, ensure container or VM isolation and apply strict access controls to development tools. 8. Conduct regular vulnerability scans and penetration tests focusing on development tools and local services. 9. Implement application whitelisting to prevent unauthorized execution of shell commands. 10. Establish incident response procedures to quickly contain and remediate any exploitation attempts.