A critical remote code execution (RCE) vulnerability has been discovered in multiple OpenCode products, which could allow an unauthenticated attacker to take full control of the system running the AI coding agent. Successful exploitation could lead to the theft of sensitive source code, compromise of development environments, and lateral movement within the network. Immediate patching is required to mitigate this high-severity risk.

The vulnerability exists due to improper input validation within the component that processes user-submitted prompts and code snippets. An unauthenticated remote attacker can craft a malicious prompt containing specially designed code. When the OpenCode AI agent processes this input, it fails to properly sanitize it, leading to the execution of arbitrary commands on the underlying operating system with the privileges of the OpenCode service account.

This vulnerability is rated as High severity with a CVSS score of 8.8. Exploitation could have a severe impact on the business, as the AI coding agent is often integrated into critical development pipelines and has access to sensitive intellectual property. Potential consequences include the exfiltration of proprietary source code, injection of malicious code into the software supply chain, deployment of ransomware, and complete compromise of the development infrastructure, leading to significant operational disruption and financial loss.

Immediate Action: Apply vendor security updates immediately across all affected OpenCode instances, prioritizing internet-facing and business-critical systems. After patching, monitor for any signs of post-patch exploitation attempts and thoroughly review historical access logs for indicators of compromise that may have occurred prior to remediation.

Proactive Monitoring: Implement enhanced monitoring on systems running the OpenCode agent. Look for suspicious activity, including unusual child processes spawned by the OpenCode service, unexpected outbound network connections to unknown destinations, and anomalous patterns or payloads in the application's input logs.

Compensating Controls: If immediate patching is not feasible, implement the following controls to reduce the risk of exploitation:

• Restrict network access to the OpenCode service to only trusted IP addresses and internal networks.
• Place the service behind a Web Application Firewall (WAF) with rules designed to detect and block command injection payloads.
• Run the OpenCode agent in a sandboxed or containerized environment with minimal privileges to limit the potential impact of a successful compromise.

Public Exploit Available: false

This is a critical vulnerability that exposes organizations to remote code execution, a worst-case scenario for any application, especially one integrated into software development environments. Immediate patching is the highest priority. Although this vulnerability is not yet on the CISA KEV list, its high CVSS score makes it a prime candidate for future inclusion. Organizations must assume imminent exploitation and act swiftly to apply the vendor-provided patches and implement heightened monitoring to protect their intellectual property and development infrastructure.