opencode icon indicating copy to clipboard operation
opencode copied to clipboard
Published 2 days ago verified publisher icon anomalyco

fix(server): CVE-2026-22812 - Make HTTP Server Authentication Mandatory

Open ssfdre38 opened this issue 2 days ago • 4 comments

Summary

This PR fixes CVE-2026-22812 (CVSS 8.8), a critical remote code execution vulnerability where OpenCode's HTTP server would run without authentication if OPENCODE_SERVER_PASSWORD was not set.

Vulnerability Details

CVE-2026-22812 allows unauthenticated:

  • Shell command execution via /session/:id/shell
  • PTY hijacking via /pty
  • Arbitrary file reading via /file/content

The vulnerability was reported to [email protected] on 2025-11-17 with no response received. The security advisory is public: GHSA-vxw4-wv6m-9hhh

The Fix

Before (Vulnerable)

.use((c, next) => {
  const password = Flag.OPENCODE_SERVER_PASSWORD
  return basicAuth({ username, password })(c, next)
})

After (Secure)

  • Auto-generates secure 32-char password if none provided
  • Displays password prominently on startup
  • Removes authentication bypass
  • Auth is now MANDATORY for all endpoints

Security Impact

✅ Closes CVE-2026-22812 (CVSS 8.8)
✅ Prevents RCE via shell injection
✅ Blocks unauthorized file access
✅ Zero breaking changes for existing users

References

This vulnerability has been public since November 2025. Users are at risk until this is merged.

ssfdre38 avatar Jan 19 '26 01:01 ssfdre38