anomalyco:opencode AI coding agent launches an HTTP server that does not require any authentication, allowing any local process or a web page that can access the server (due to permissive CORS) to execute arbitrary shell commands under the privileges of the user running the agent. This flaw is a combination of Missing Authentication, Command Injection, and Privilege Escalation weaknesses that enable an attacker to run any command on the host, recover data, modify files, or maintain persistence. The result is a high‑impact compromise of confidentiality, integrity, and possibly availability of the affected system.

Versions of OpenCode older than 1.0.216 are affected. The vulnerability applies to the anomalyco:opencode product as distributed on all supported platforms before that release.

The CVSS vector scores the vulnerability as 8.8, confirming high severity. EPSS indicates a 4% probability of exploitation at the time of analysis, reflecting a moderate likelihood that attackers will seek or have access to the vulnerable environment. The flaw is not listed in the CISA KEV catalog. Attackers who can reach the unauthenticated HTTP endpoint—either by running a local process or by loading a malicious website that can issue cross‑origin requests—can command the agent to run any shell command without restrictions.