By ByteBot
OpenCode, an open-source AI coding assistant, shipped with a CVSS 10.0 remote code execution vulnerability that let any website execute arbitrary code on developers’ machines. Disclosed today by security researcher AlexAltea, the flaw affected all versions before 1.1.10 and stemmed from a fundamental security oversight: the tool ran a local HTTP server with zero authentication. Any website could silently run shell commands as the current user if OpenCode was installed. The most damaging versions (pre-v1.0.216) hardcoded CORS policies allowing any *.opencode.ai origin, turning every malicious website into a potential attack vector.
How the Vulnerability Works
OpenCode’s HTTP server automatically spawned on startup, listening on port 4096 or higher. It exposed three endpoints with no authentication whatsoever: POST /session/:id/shell for arbitrary shell commands, POST /pty for terminal sessions, and GET /file/content for file access. The server ran invisibly—users had no indication it was active.
The attack scenario was trivial. Visit a malicious website, and JavaScript could send a fetch request to localhost:4096 to execute commands. According to the security disclosure, “any client that can connect to it gains full code execution with the privileges of the user running OpenCode.” No exploit chain, no social engineering, no complexity. Just JavaScript and an unauthenticated endpoint.
Version 1.0.216 restricted the CORS policy, blocking web-based attacks. Version 1.1.10 disabled the server by default. But authentication? Still missing. The server can be manually enabled, and if it is, exploitation remains straightforward for local attackers.
This Isn’t an Isolated Incident
OpenCode joins a growing list of AI tools shipping with critical security flaws. In January 2026 alone, n8n—a workflow automation platform—disclosed two CVSS 10.0 vulnerabilities (CVE-2026-21858 and CVE-2026-21877) affecting roughly 100,000 servers. Both stemmed from missing authentication. Sound familiar?
Then there’s “IDEsaster,” a collection of over 30 vulnerabilities found across AI-powered IDEs like Cursor, Windsurf, GitHub Copilot, and others. Researchers demonstrated prompt injection attacks in GitLab Duo, Copilot Chat, and Salesforce Einstein. A separate study found that 62% of AI-generated code contains security flaws, with AI code 2.74 times more likely to introduce XSS vulnerabilities than human-written code.
The pattern is clear: AI tooling is accumulating security debt faster than patches can ship.
Move Fast, Break Everything
AI coding tools adopted Silicon Valley’s “move fast and break things” mantra without considering what “break things” means when your tool executes arbitrary code on developers’ machines. OpenCode’s missing authentication isn’t an edge case or race condition. It’s a foundational failure. The server runs invisibly, has no security controls, and hardcodes permissive CORS policies.
This isn’t technical debt. It’s security debt. And unlike technical debt, security debt compounds with interest measured in CVEs. As one security analysis notes, “when there’s a culture of ‘got to move fast, so let’s put that in later,’ just as with cars, speed kills.” You can patch features later. You can’t unpatch a CVSS 10.0 vulnerability that’s already been exploited.
Eighty-four percent of developers use AI coding tools, according to Stack Overflow’s 2025 survey. Sixty-two percent of organizations have vulnerable AI packages in their environments. Your productivity tools might be attack vectors, and you’d never know until it’s too late.
What Developers Should Do
If you’re using OpenCode, update to version 1.1.10 immediately. Check your config files for server.port or server.hostname settings—if present, remove them. Avoid the --mdns flag. The current version disables the server by default, but versions 1.0.216 through 1.1.9 still allow local exploitation.
More broadly, audit your AI tooling. What’s running on your machine right now? What ports are open? What permissions have you granted? The convenience of AI coding assistants comes with risk. Evaluate that tradeoff honestly.
The Industry Needs Standards
This won’t be the last CVSS 10.0 vulnerability in AI tooling. Three have emerged in January 2026 alone. The race to ship AI-powered development tools has created a security minefield. Cursor, Copilot, Windsurf, and dozens of others compete on features and speed. Security audits come later—if at all.
The industry needs a reckoning. Should AI coding tools require security certifications? Mandatory authentication for any tool that executes code? Sandboxing by default? Right now, we have none of these. We have an ecosystem where tools ship with unauthenticated HTTP servers, invisible processes, and hardcoded CORS policies.
Or we can keep discovering that our productivity tools are running unauthenticated HTTP servers with arbitrary code execution. Your choice.
