Two cases of unauthenticated RCE and RCE via XSS, over 220,000 instances exposed in OpenCode
Contents
Two serious vulnerabilities have been disclosed in the open source AI coding agent “OpenCode” (manufactured by Anomaly Co). CVE-2026-22812 (CVSS 8.8 HIGH) allows execution of shell commands via an unauthenticated HTTP server. CVE-2026-22813 (CVSS 9.4 CRITICAL) reaches RCE via WebSocket triggered by XSS in the Markdown renderer. PoCs for both have been published on GitHub, with over 220,000 instances exposed on the internet.
CVE-2026-22812: RCE by unauthenticated HTTP server
By default, OpenCode starts an unauthenticated HTTP server by binding it to 0.0.0.0. The following endpoints are open for anyone to hit.
| Endpoint | Operation |
|---|---|
POST /session | Session creation |
POST /session/{id}/shell | Shell command execution |
GET /file/content | Read any file |
There are three CWE points: CWE-306 (missing certification of critical functions), CWE-749 (exposure of dangerous methods), and CWE-942 (permissive CORS policy). Since CORS settings are unlimited, the assumption that “it’s safe because it’s running locally” breaks down. Simply by opening a malicious web page, the JavaScript on that page can send a request to /session/{id}/shell and execute a command.
@@CODE0@@
The PoC has been published on 0xgh057r3c0n/CVE-2026-22812 (GitHub) and has three modes: command execution, file read/write, and interactive shell acquisition.
@@CODE1@@
The fix was OpenCode 1.0.216, which implemented authentication to the HTTP server.
CVE-2026-22813: XSS to RCE via WebSocket
CVSS scores 9.4 CRITICAL for v4.0, and NIST scores 6.1 MEDIUM for v3.1, but the evaluation for v4.0 is closer to the reality.
The Markdown renderer used by OpenCode’s Web UI (localhost:4096) inserts the LLM output directly into the DOM. Sanitization using DOMPurify and CSP (Content Security Policy) were not implemented.
flow of attack.
graph TD
A[攻撃者がプロンプトインジェクション<br/>または悪意あるコンテキストを注入] --> B[LLMがHTMLを含む出力を生成]
B --> C[Markdownレンダラーが<br/>HTMLをDOMへ直接挿入]
C --> D[悪意あるJavaScriptが実行<br/>XSS成立]
D --> E[既存のWebSocket接続を悪用]
E --> F[シェルコマンド実行<br/>RCE成立]When combined with prompt injection, LLM acts as an intermediary and generates an XSS payload (malicious script fragment). If an attacker can write to the file system or conversation context trusted by the AI coding agent, the attack chain can be completed without user interaction.
The fix was OpenCode 1.1.10, which introduced Markdown renderer sanitization and CSP.
Over 220,000 instances exposed
SecurityScorecard found that 135,000 OpenClaw instances were exposed to the internet with insecure default configurations, of which 12,812 were RCE exploitable. Combined with OpenCode and OpenClaw, the number reaches over 220,000.
This is a continuation of the security issues with OpenClaw that have been pointed out for some time. A Composio analysis published in March found that 7.1% of distributed on OpenClaw’s SkillHub contained exposing vulnerabilities, skills more than 30,000 instances (7% of OpenClaw skills have severe vulnerabilities, more than 30,000 instances were exposed). This time, the problem is a different product and a different route.
Supply Chain Contamination via ClawHub
In parallel, a coordinated attack campaign (a series of contamination activities) has been observed on OpenClaw’s package registry ClawHub. The campaign, dubbed “ClawHavoc,” detected more than 1,184 malicious packages, and Bitdefender’s analysis determined that approximately 20% of all registries were malicious.
All packages work the same way. Deploy Atomic macOS Stealer (AMOS) via a fake installation script and steal the following:
- Password manager saved data -Browser cookies/session tokens
- Cryptocurrency wallet -macOS Keychain
Bitdefender has determined that 335 attacks were caused by the same attacker, and Trend Micro has also confirmed via telemetry that they were deployed on corporate devices.
In the AI agent ecosystem, a common design is to “extend functionality by installing skills and packages,” but as a result of the influx of large numbers of packages before registry review standards were in place, the situation is similar to the supply chain attacks that have been repeated at npm and PyPI.
Three independent vulnerabilities (such as deserialization in CVSS 9.3) have just been reported in LangChain and LangGraph (Three vulnerabilities in LangChain and LangGraph), and security issues around AI frameworks continue to surface.
Action
| CVE | Modified version | Compatible details |
|---|---|---|
| CVE-2026-22812 | OpenCode 1.0.216 | Authentication implementation on HTTP server |
| CVE-2026-22813 | OpenCode 1.1.10 | Markdown renderer sanitization, CSP introduction |
As an interim measure if immediate updates are difficult, limit the HTTP server port to local loopback (127.0.0.1) using firewall rules, or stop the service when not in use. Even when accessing the Web UI, avoid using it without CSP settings.