Home > Vulnerability Database > CVE-2026-22812

Mend.io Vulnerability Database

CVE-2026-22812

Good to know:

Date: January 12, 2026

OpenCode is an open source AI coding agent. Prior to 1.0.216, OpenCode automatically starts an unauthenticated HTTP server that allows any local process (or any website via permissive CORS) to execute arbitrary shell commands with the user's privileges. This vulnerability is fixed in 1.0.216.

Severity Score

8.8

Related Resources (5)

Url: https://github.com/anomalyco/opencode

Url: https://github.com/anomalyco/opencode/commit/7d2d87fa2c44e32314015980bb4e59a9386e858c

Url: https://nvd.nist.gov/vuln/detail/CVE-2026-22812

Url: https://github.com/anomalyco/opencode/security/advisories/GHSA-vxw4-wv6m-9hhh

Url: https://www.mend.io/vulnerability-database/CVE-2026-22812

Severity Score

8.8

Weakness Type (CWE)

Exposed Dangerous Method or Function

CWE-749

Missing Authentication for Critical Function

CWE-306

Permissive Cross-domain Security Policy with Untrusted Domains

CWE-942

Top Fix

Upgrade Version

Upgrade to version opencode-ai - 1.0.216;opencode-ai - 1.0.216;https://github.com/anomalyco/opencode.git - v1.0.216

Learn More

CVSS v3.1

Base Score:	8.8
Attack Vector (AV):	NETWORK
Attack Complexity (AC):	LOW
Privileges Required (PR):	NONE
User Interaction (UI):	REQUIRED
Scope (S):	UNCHANGED
Confidentiality (C):	HIGH
Integrity (I):	HIGH
Availability (A):	HIGH

Mend.io Vulnerability Database

We found results for “”

CVE-2026-22812

Good to know:

Date: January 12, 2026

Severity Score

Related Resources (5)

Severity Score

Weakness Type (CWE)

Top Fix

Upgrade Version

CVSS v3.1

Do you need more information?