OpenCode, an open source AI coding assistant, had a vulnerability that could let connected clients and some websites execute arbitrary code on a user machine. The issue affected versions before v1.1.10 and had a browser vector before v1.0.216.
KEY FACTS
- Incident An unauthenticated local HTTP server exposed endpoints that allow command execution
- Affected versions Browser vector fixed in v1.0.216, server auto spawned before v1.1.10
- Fix status Server disabled by default in v1.1.10 but remains unauthenticated when enabled
A disclosure by cy.md reported that OpenCode automatically spawned an HTTP server on startup before v1.1.10 and that the server exposes endpoints to run shell commands, create interactive pty sessions, and read arbitrary files.
The server had no authentication. Any client that could connect gained full code execution with the privileges of the user running OpenCode. When the server was running there was no visible indication to the user.
The disclosure shows a timeline of vendor contacts and fixes. A CORS restriction was added in v1.0.216 to block arbitrary web pages, and the server was disabled by default in v1.1.10. The disclosure warns that enabling the server remains unsafe and that the –mdns option can bind to all interfaces.
The report includes proof of concept calls that create a session and execute shell commands against localhost. It recommends updating to v1.1.10 or newer, checking configuration for server.port or server.hostname, avoiding –mdns, and not visiting opencode.ai subdomains while the server is enabled. The disclosure notes a published advisory and that a CVE is pending.
WHY IT MATTERS
The vulnerability allowed local processes and, in some versions, web pages to gain code execution on affected systems. Users should update and verify server settings to reduce exposure.