Previous versions of OpenCode started a server which allowed any website visited in a web browser to execute arbitrary commands on the local machine. Make sure you are using v1.1.10 or newer; see link for more details.

hey maintainer here

we've done a poor job handling these security reports, usage has grown rapidly and we're overwhelmed with issues

we're meeting with some people this week to advise us on how to handle this better, get a bug bounty program funded and have some audits done

Many people seem to be running OpenCode and similar tools on their laptop with basically no privilege separation, sandboxing, fine-grained permissions settings in the tool itself. This tendency is reflected also by how many plugins are designed, where the default assumption is the tool is running unrestricted on the computer next to some kind of IDE as many authentication callbacks go to some port on localhost and the fallback is to parse out the right parameter from the callback URL. Also for some reasons these tools tend to be relative resource hogs even when waiting for a reply from a remote provider. I mean, I am glad they exist, but it seems very rough around the edges compared to how much attention these tools get nowadays.

Please run at least a dev-container or a VM for the tools. You can use RDP/ VNC/ Spice or even just the terminal with tmux to work within the confines of the container/ machine. You can mirror some stuff into the container/ machine with SSHFS, Samba/ NFS, 9p. You can use all the traditional tools, filesystems and such for reliable snapshots. Push the results separately or don't give direct unrestricted git access to the agent.

It's not that hard. If you are super lazy, you can also pay for a VPS $5/month or something like that and run the workload there.

A coworker raised an interesting point to me. The CORS fix removes exploitation by arbitrary websites (but obviously allows full access from the opencode domain), but let's take that piece out for a second...

What's the difference here between this and, for example, the Neovim headless server or the VSCode remote SSH daemon? All three listen on 127.0.0.1 and would grant execution access to another process who could speak to them.

Is there a difference here? Is the choice of HTTP simply a bad one because of the potential browser exploitation, which can't exist for the others?

WTF, they not just made unauthenticated RCE http endpoint, they also helpfully added CORS bypass for it... all in CLI tool? That silently starts http server??

This is pretty egregious. And outside the fact the server is now disabled by default, once it's running it is still egregious:

> When server is enabled, any web page served from localhost/127.0.0.1 can execute code

> When server is enabled, any local process can execute code without authentication

> No indication when server is running (users may be unaware of exposure)

I'm sorry this is horrible. I really want there to be a good actual open cross-provider agentic coding tool, but this seems to me to be abusive of people's trust of TUI apps - part of the reason we trust them is they typically DON'T do stuff like this.

The disclosure timeline is concerning.

Reported 2025-11-17, and multiple "no responses" after repeated attempts to contact the maintainers... not a good look.

They keep adding features without maintaining the core. I stopped using it when they started selling plans. The main reason for Opencode was to use multiple models but it turns out context sharing across models is PIA and impractical right now. I went back to using Claude Code and Codex side by side.

Having said that, there is definitely a need for open platform to utilize multiple vendors and models. I just don’t think the big three (Anthropic, OAI and Google) will cede that control over with so much money on the line.

Lots of the same people that were behind: https://www.terminal.shop/

afaict, for that project they never went through PCI compliance. See original thread for more information: https://news.ycombinator.com/item?id=40228751

They seem to not have a lot of real world experience and/or throw caution to the wind and YOLO through security practices. I'd be weary using any of their products.

If you aren't blocking your browser from allowing sites to call to local services, you should:

> Network Boundary Shield

> The Network Boundary Shield (NBS) is a protection against attacks from an external network (the Internet) to an internal network - especially against a reconnaissance attack where a web browser is abused as a proxy.

> The main goal of NBS is to prevent attacks where a public website requests a resource from the internal network (e.g. the logo of the manufacturer of the local router); NBS will detect that a web page hosted on the public Internet is trying to connect to a local IP address. NBS only blocks HTTP requests from a web page hosted on a public IP address to a private network resource; the user can allow specific web pages to access local resources (e.g. when using Intranet services).

https://jshelter.org/nbs/

I run mine on the public internet and it’s fine, because I put it behind auth, because it’s a tool to remotely execute code with no auth and also has a fully featured webshell.

To be clear, this is a vulnerability. Just the same as exposing unauthenticated telnet is a vulnerability. User education is always good, but at some point in the process of continuing to build user-friendly footguns we need to start blaming the users. “It is what it is”, Duh.

This “vulnerability” has been known by devs in my circle for a while, it’s literally the very first intuitive question most devs ask themselves when using opencode, and then put authentication on top.

Particularly in the AI space it’s going to be more and more common to see users punching above their weight with deployments. Let em learn. Let em grow. We’ll see this pain multiply in the future if these lessons aren’t learned early.

Seems that OpenCode is YC-backed as well [0] [1]. I would've thought YC would encourage better cyber security practice than OpenCode have demonstrated here.

[0]: https://www.ycombinator.com/companies/sst

[1]: https://anoma.ly/

Huh, I thought opencode was a volunteer project but it looks like it's a business with major backing from major players. Was opencode always set up like this? I could have sworn there was some project with a better governance model, guess not.

This is such an egregious lack of respect for users, you can't trust this organisation again, and the lack of responsiveness just signals that they don't consider it a problem. Users must signal to companies that this attitude is unacceptable by dumping them.

The next few years are going to be a golden age for ops and security overtime

Seems `session/:id/shell` was also `session/:id/bash` and originally `session/:id/command` in some commits.

Maybe I'm using GitHub code search wrongly, but it appears this was just never part of even a pull request - the practice of just having someone pushing to `dev` (default branch) which then will be tagged should perhaps also be revisited.

(Several more commits under `wip: bash` and `feat: bash commands`)

https://github.com/anomalyco/opencode/commit/7505fa61b9caa17...

https://github.com/anomalyco/opencode/commit/93b71477e665600...

It feels that today security is secondary to growth. As long as your growing, a few incidents here and there aren't going to make a difference.

fwiw they should probably slow down a bit, even though they seem to be winning the race. they started selling their own subscription plan last week, and promptly committed all subscriber’s emails to the public repo

> Hey - have some bad news.

> We accidentally committed your email to our repo as part of a script that was activating OpenCode Black.

> No other information was included, just the email on its own.

> Silent fix

So did they fix it silently, without responding to the researcher, or they fixed the silent part where now user is made a aware that a website is trying to execute code on their machine.

Isn't it insane that any web page can run a port scan in the first place? Who wants that?

Meanwhile, running opencode in a podman container seems to stop this particular, err, feature.

Related: https://news.ycombinator.com/item?id=46539718

I'd be curious to know what features need opencode.ai to be an allowed origin for the local server.

people run AI tools outside a sandbox? tf? the first thing I did with claude code is put it in a sandbox.

come on people, docker and podman exist, please use them - it isolates you not only from problems like this but supply chain attacks as well.

it also has superior compatibility, any person working on your project will have all the tools available to compile it since to build & run it you use a simple Containerfile.

(rather outdated now: https://github.com/DeprecatedLuke/claude-loop)

Vibe coding a coding CLI?

This doesn't actually seem that bad to me? Browsers don't let random pages on the internet hit localhost without prompting you anymore so it's not like a random website could RCE you unless you're running an old browser—and at that point that's the browser's fault for letting web pages out of the sandbox. You shouldn't have to protect localhost from getting hit with random public websites.

The rest is just code running as your user can talk to code running as your user. I don't really consider this to be a security boundary. If I can run arbitrary code by hitting a URL I accept that any program running as me can as well. Going above and beyond is praiseworthy (good for you turning on SELinux as an example) but I don't expect it by default.

On the one hand, with 1800 open issues and 800 open PRs (most of it probably AI generated slop) makes it a bit understandable for the maintainers to be slow to reply. On the other hand, the vulnerability is so baffling that I'll make sure to stay as far away as possible from this project.

How's that plastic utensils at Anthropic's buffet analogy going now?