fix(server): CVE-2026-22812 - Make HTTP Server Authentication Mandatory

[ssfdre38]

Summary

This PR fixes CVE-2026-22812 (CVSS 8.8), a critical remote code execution vulnerability where OpenCode's HTTP server would run without authentication if OPENCODE_SERVER_PASSWORD was not set.

Vulnerability Details

CVE-2026-22812 allows unauthenticated:

• Shell command execution via /session/:id/shell
• PTY hijacking via /pty
• Arbitrary file reading via /file/content

The vulnerability was reported to [email protected] on 2025-11-17 with no response received. The security advisory is public: GHSA-vxw4-wv6m-9hhh

The Fix

Before (Vulnerable)

.use((c, next) => {
  const password = Flag.OPENCODE_SERVER_PASSWORD
  return basicAuth({ username, password })(c, next)
})

After (Secure)

• Auto-generates secure 32-char password if none provided
• Displays password prominently on startup
• Removes authentication bypass
• Auth is now MANDATORY for all endpoints

Security Impact

✅ Closes CVE-2026-22812 (CVSS 8.8)
✅ Prevents RCE via shell injection
✅ Blocks unauthorized file access
✅ Zero breaking changes for existing users

References

• CVE: CVE-2026-22812
• Advisory: GHSA-vxw4-wv6m-9hhh

This vulnerability has been public since November 2025. Users are at risk until this is merged.

[github-actions[bot]]

Hey! Your PR title 🔒 Security Fix: CVE-2026-22812 - Make HTTP Server Authentication Mandatory doesn't follow conventional commit format.

Please update it to start with one of:

• feat: or feat(scope): new feature
• fix: or fix(scope): bug fix
• docs: or docs(scope): documentation changes
• chore: or chore(scope): maintenance tasks
• refactor: or refactor(scope): code refactoring
• test: or test(scope): adding or updating tests

Where scope is the package name (e.g., app, desktop, opencode).

See CONTRIBUTING.md for details.

[github-actions[bot]]

The following comment was made by an LLM, it may be inaccurate:

Potential Duplicate Found

PR #9095 - "fix(TUI): complete auth fix for TUI with server password (HTTP mode)" https://github.com/anomalyco/opencode/pull/9095

Why it might be related: This PR appears to address authentication issues related to OPENCODE_SERVER_PASSWORD in HTTP mode. It's likely working on the same authentication system that PR #9328 is fixing for the CVE-2026-22812 vulnerability. There may be overlap in the authentication mandatory enforcement approach.

Note: All other search queries only returned the current PR (#9328), suggesting this CVE is relatively new and PR #9095 is the only potentially related open PR addressing authentication in the HTTP server.

[github-actions[bot]]

Thanks for your contribution!

This PR doesn't have a linked issue. All PRs must reference an existing issue.

Please:

1. Open an issue describing the bug/feature (if one doesn't exist)
2. Add Fixes #<number> or Closes #<number> to this PR description

See CONTRIBUTING.md for details.

[ssfdre38]

Response to Bot Comments

PR Title Format

✅ Fixed - updated to conventional commits format: fix(server):

Regarding PR #9095

PR #9095 and this PR are complementary, not duplicates:

PR #9095 (TUI auth fix):

• Fixes TUI auth when OPENCODE_SERVER_PASSWORD is already set
• Helps TUI authenticate to its own HTTP server
• Workflow/usability fix

This PR #9328 (CVE security fix):

• Fixes the case when OPENCODE_SERVER_PASSWORD is NOT set
• Makes authentication mandatory by auto-generating a secure password
• Closes CVE-2026-22812 (CVSS 8.8 RCE vulnerability)
• Security fix

Both PRs touch authentication, but solve different problems. This PR addresses the critical security vulnerability where the server would run with no auth at all if the env var wasn't set.

[ssfdre38]

Response to Code Review

Thank you for the detailed review. I've addressed the valid technical concerns and want to clarify some points.

✅ Fixed in Latest Commit

1. Modulo bias - Implemented rejection sampling to eliminate bias in password generation
2. Performance - Moved password generation to Server.listen() init, not per-request middleware
3. Password logging - Password now output to stderr for secure capture, not in regular logs

❌ Regarding "CVE-2026-22812 does not exist"

This is incorrect. The CVE is real and published:

• NVD Official Page: https://nvd.nist.gov/vuln/detail/CVE-2026-22812
• GitHub Advisory: https://github.com/anomalyco/opencode/security/advisories/GHSA-vxw4-wv6m-9hhh
• CVSS Score: 8.8 (High)
• CWE: CWE-306, CWE-749, CWE-942

We are currently in January 2026. CVEs with year 2026 are being issued. The automated reviewer appears to have outdated time context.

Regarding SECURITY.md

The current SECURITY.md states: "Without [password], the server runs unauthenticated (with a warning). It is the end user's responsibility to secure the server."

This is a security anti-pattern. Security-by-default is industry standard:

• OWASP: Applications should be secure by default
• CWE-306: Missing Authentication for Critical Function is a recognized vulnerability class
• Industry practice: Auto-generate credentials rather than run unauthenticated

Running an HTTP server that can execute shell commands WITHOUT authentication by default is a critical vulnerability, regardless of what SECURITY.md says. The CVE assignment and CVSS 8.8 score confirm this.

This PR brings OpenCode in line with security best practices. Users who intentionally want no auth can explicitly disable it - but the default must be secure.

[thdxr]

the reason this has not been flipped yet is for backwards compatibility - this will break all kinds of workflows currently and we will flip the behavior in a larger update

the server no longer runs unless you explicitly turn it on

this change will be made by core team