RCE and file read vulnerability

[Mishkun]

Description

Vulnerability Summary

The OpenCode codebase has critical security vulnerabilities:

1. No CORS validation - /packages/opencode/src/server/server.ts:135 uses .use(cors()) with no origin restrictions
2. No authentication - Any request works without tokens/credentials
3. Arbitrary shell execution and file read - POST /session/:id/shell executes any command GET /file/content?path=/etc/passwd reads file by path

Attack Vector

Any website can:

1. Scan localhost ports to find the OpenCode server
2. List existing sessions via GET /session
3. Create a new session via POST /session
4. Execute arbitrary shell commands via POST /session/:id/shell
5. Read any file via GET /file/content?path=/etc/passwd

OpenCode version

1.0.207

Steps to reproduce

1. start opencode server (or just open opencode in any dir)
2. go to https://mishkun.github.io/opencode-rce-poc/ and follow instructions
3. enjoy being pwned

Screenshot and/or share link

No response

Operating System

macos

Terminal

iTerm2

[github-actions]

This issue might be a duplicate of existing issues. Please check:

• [FEATURE]: Adding Authentication to opencode server api #5256: [FEATURE]: Adding Authentication to opencode server api - directly addresses the authentication vulnerability you've identified
• OpenCode should have better/safer defaults to be more security minded #5076: OpenCode should have better/safer defaults to be more security minded - discusses related security concerns about default configurations

Feel free to ignore if none of these address your specific case.

[Mishkun]

Chrome and chromium require "local network access" permission
latest firefox (146.0.1) doesn't require anything, exploit works without permission
safari and brave browsers block port scanning

[rekram1-node]

updating cors policy and releasing that:
7d2d87f

[CyberShadow]

Previously reported here: GHSA-vxw4-wv6m-9hhh

@rekram1-node Now that this has been independently reported and fixed, could you please publish the advisory

[CyberShadow]

@rekram1-node Why does opencode.ai need arbitrary command execution powers to all OpenCode users' machines?

[CyberShadow]

Hi @rekram1-node, FYI - since the issue is now public and I haven't been able to reach anyone from the team regrading the above, I plan to publish a full disclosure of this and remaining problems at https://cy.md/opencode-rce/ in 48 hours (2026-01-11).

[thdxr]

hey sorry this got dropped over the holidays

do you mind sending me disclosure to dax@anoma.ly

the reason for the opencode.ai exception was for people using the webapp at app.opencode.ai

we've made a change recently not to start the server by default, it's opted into

[CyberShadow]

hey sorry this got dropped over the holidays

Understandable, but I should note that I first tried reaching out in November. The address mentioned here might not be monitored.

we've made a change recently not to start the server by default, it's opted into

This is great, thank you!

do you mind sending me disclosure to dax@anoma.ly

Sent!

[CyberShadow]

I plan to publish a full disclosure of this and remaining problems at https://cy.md/opencode-rce/ in 48 hours (2026-01-11).

Posted.

[ta-dd]

Thanks to both for finding the vulnerability, as well as the proof-of-concept and the very well written disclosure. Jarring to see such a poor response from the Opencode team, please monitor that email address.