Tools: Breaking: Your AI Coding Agent Has Root Access to Your Machine. Does Anything Else?
The machine under your desk
Two CVEs, one architectural failure
CVE-2026-22812: Unauthenticated Remote Code Execution
CVSS vector breakdown
CVE-2026-22813: XSS-to-RCE via LLM Output
The exposure data
The supply chain problem
Why this happened
Reproduction methodology
For VPS deployments
For local hardware (Mac Mini, workstations)
Remediation: 5-layer defense-in-depth
Layer 1: Network isolation — eliminate the public attack surface
Layer 2: Identity verification — gate every request
Layer 3: Application authentication — defense in depth
Layer 4: Host hardening — reduce the blast radius
Layer 5: Scoped permissions — limit what each agent can do
What you should do today
If you run an agent on a VPS
If you run an agent on a Mac Mini or local machine
This month (both platforms)
Let your agent fix this for you
Agent-Executable Remediation: CVE-2026-22812 / CVE-2026-22813
The architecture we built
About the author Two critical vulnerabilities — CVE-2026-22812 (CVSS 8.8) and CVE-2026-22813 (CVSS 9.6) — affect the most widely deployed open-source AI coding agent platforms. 220,000+ instances are exposed on the public internet with no authentication. 15,200 are confirmed vulnerable to unauthenticated remote code execution. But the exposure isn't limited to cloud servers — the same agent running on your Mac Mini under your desk has the same root-level access to your files, your credentials, and your network. This article provides the technical analysis, the exposure data, remediation for both VPS and local hardware deployments, and a 5-layer defense architecture that works regardless of where your agent runs. Apple cannot keep the Mac Mini in stock. The M4 and M4 Pro configurations are backordered across most retailers, and the reason is not what Apple planned for. Developers are buying them to run AI coding agents locally — specifically OpenClaw, which needs Apple Silicon's unified memory architecture for local LLM inference. The logic makes sense on paper. A $600 Mac Mini with 16GB of unified memory runs a 7B parameter model fast enough for real-time coding assistance. A $1,400 M4 Pro with 48GB runs 34B models comfortably. No cloud costs. No API rate limits. No data leaving your network. Private, fast, and owned. There is one problem. The agent running on that Mac Mini has the same privileges as the user who launched it. On most developer machines, that means: A Meta security researcher had to physically unplug her Mac Mini to stop an AI coding agent from deleting her email inbox. The agent was running with full system permissions and connected to a compromised skill package. It began executing destructive commands that could not be stopped through the UI because the WebSocket connection was being used by the attacker's injected scripts. That incident happened on a local machine with no internet exposure. The attack vector was not a network exploit — it was a malicious package in the agent's skill chain. For the 220,000+ instances running on VPS infrastructure with no authentication and no firewall, the same attack can be executed remotely by anyone on the internet. The industry spent two months talking about the 220,000 number. What it missed is that the number only counts servers. It does not count the desks. CVE ID: CVE-2026-22812
CVSS Score: 8.8 (High)Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:HAffected Software: OpenCode HTTP server (serve mode), OpenClaw instancesDiscovery: Reported via NVD/NIST, confirmed by SecurityScorecard STRIKE team When an AI coding agent runs in serve mode — exposing an HTTP and WebSocket interface for browser-based interaction — the server binds to 0.0.0.0 by default. In versions prior to 1.1.10, this server has no authentication mechanism whatsoever. Even in 1.1.10+, where the server is disabled by default, enabling it provides only optional Basic Auth that most deployments skip. Any process on the network — or anyone on the internet if the server is publicly reachable — can: The agent is not a code assistant. It is a full remote shell with an AI interface. On a VPS: If port 4096 is open, the entire internet has root access.On a Mac Mini: If the agent binds to 0.0.0.0 instead of 127.0.0.1, every device on the local network has root access. On a coffee shop WiFi, a coworking space, a hotel — that is everyone in the room. This is a trivially exploitable vulnerability. If the port is reachable, the system is compromised. CVE ID: CVE-2026-22813CVSS Score: 9.6 (Critical)
Affected Software: OpenClaw web UI The web interface that renders AI agent output does not sanitize the markdown and HTML returned by the language model. An attacker who can influence the LLM's output — through prompt injection, malicious context documents, or compromised training data — can inject arbitrary JavaScript that executes in the user's browser session. Because the browser session has an active WebSocket connection to the agent backend, this JavaScript can send commands to the agent as if the user typed them, exfiltrate the contents of the current session, execute shell commands through the agent's execution interface, and persist across sessions if the injected script writes to the agent's context files. This is the vulnerability that matters most for Mac Mini owners. CVE-2026-22812 requires network access to the agent's port. CVE-2026-22813 does not. It requires only that the agent processes a file, package, or repository that contains adversarial content. Given that AI coding agents routinely clone repositories, install npm/pip/cargo packages, read documentation files, and process code review comments — the attack surface is every piece of content the agent interacts with. The Mac Mini on your desk. Running a local model. No cloud connection. Still vulnerable to CVE-2026-22813 through a poisoned package.json or a malicious code review comment. Between January and March 2026, multiple independent security research groups conducted internet-wide scans targeting AI coding agent infrastructure: These numbers are the ones that made the news. They count VPS deployments — Hetzner, DigitalOcean, Linode, Contabo — where a developer provisioned a server, installed the agent, started serve mode, and did not configure a firewall. What they do not count: Mac Minis on home networks. Development laptops in coworking spaces. Workstations in offices with flat network topologies. These machines are not indexed by Censys. They are not visible to Shodan. But if the agent's HTTP server binds to anything other than 127.0.0.1, every device on the same network segment has the same unauthenticated access that the internet has to those 220,000 VPS instances. The 220,000 number is a floor. The actual exposure includes every unsandboxed AI coding agent running on every machine where the developer has not explicitly configured network isolation. The Mac Mini shortage suggests that number is growing, not shrinking. The 1,184 malicious packages discovered in the ClawHub skill marketplace represent a systemic supply chain compromise. These packages masqueraded as legitimate MCP skills but contained credential harvesters, reverse shells, cryptominers, and data exfiltration routines. This is the attack path that bypasses all network-level defenses. A tunnel does not help if the agent itself installs a malicious package that reads ~/.ssh/id_rsa and uploads it to an attacker's server. A firewall does not help if the package phones home through an outbound HTTPS connection that looks identical to a legitimate API call. Defense requires both network isolation (Layers 1–3) and permission scoping (Layer 5). Neither alone is sufficient. The root cause is not a coding error. It is an architectural assumption. AI coding agents were designed as local development tools. They assume a trusted network — your laptop, your home WiFi. The HTTP server is a convenience feature: start the agent, open a browser tab, start coding. That assumption fails in two directions simultaneously: Direction 1: Servers. Developers run agents on VPS infrastructure because they need persistent execution, shared team access, and GPU availability. The agent's HTTP server, designed for localhost, is now reachable from the public internet. This produced the 220,000 exposed instances. Direction 2: Local hardware at scale. The Mac Mini shortage proves that developers are deploying AI agents on physical hardware in volumes that matter. These machines sit on home networks, office networks, and coffee shop WiFi. They are not behind firewalls. They are not running in sandboxes. The agent has the same access to the filesystem, the network, and the macOS Keychain that the developer does. The difference from the VPS scenario is visibility — no one is scanning home networks, so the exposure goes unreported. Both directions share the same gap: the tooling provided zero infrastructure guidance. No documentation for firewall configuration. No reverse proxy templates. No authentication integration. No sandboxing guide for macOS. No permission scoping. Developers were told "start the server and open a browser." They did. The following describes the verification methodology used by researchers. This information is provided for defensive purposes — to help teams verify whether their own instances are vulnerable. Step 1: Use Censys, Shodan, or any internet-facing port scanner to identify hosts running the agent's HTTP server. The default port is 4096. The server responds with a distinctive HTTP response that includes WebSocket upgrade headers and the agent's UI HTML. A vulnerable instance returns a 200 response with the full agent interface. There is no login page. There is no authentication challenge. Step 2: Connect to the WebSocket endpoint. The agent accepts commands in its standard message format. Any command that the agent can execute — file operations, shell commands, package installations — is available to the attacker. Step 3: Send a benign verification command (e.g., whoami, hostname, uname -a). If the agent returns system information, the instance is confirmed vulnerable. Important: Do not execute destructive commands. Do not access, copy, or modify any data. Verification should confirm the vulnerability exists and stop. Report findings to the instance owner if identifiable. Step 1: On the machine running the agent, check what address the server is bound to: If the output shows *:4096 or 0.0.0.0:4096, the agent is listening on all network interfaces — not just localhost. Any device on the same network can connect. Step 2: From another device on the same network (phone, laptop, tablet), open a browser and navigate to http://<mac-mini-ip>:4096. If the agent's interface loads, the machine is exposed to the local network. Step 3: Check what the agent process has access to: In the majority of local installations, the agent runs as the primary user account — which means full access to the home directory, all development projects, all SSH keys, and all environment variables containing API credentials. The following architecture addresses both CVEs at the infrastructure level. The first three layers apply to VPS deployments. All five layers apply to any deployment, including local hardware. Use an outbound-only encrypted tunnel instead of opening inbound ports. Cloudflare Tunnel (cloudflared) establishes a connection from your server to Cloudflare's network using outbound-only QUIC connections on port 7844. No inbound ports are opened. The server's IP address is never exposed. All traffic routes through Cloudflare's 330+ city anycast network. Configuration note: Set the tunnel's catch-all to http_status:404. This ensures that any request arriving at Cloudflare that does not match your specific hostname is rejected before it reaches your server. For Mac Mini / local hardware: Force the agent to bind to 127.0.0.1 only — never 0.0.0.0. This restricts the HTTP server to connections originating from the same machine. If you need to access the agent from another device (e.g., your laptop connecting to a Mac Mini on your desk), use SSH port forwarding instead of exposing the port: For persistent remote access, Cloudflare Tunnel works on macOS as well: What this prevents: On VPS — direct IP scanning, port-based attacks, DDoS. On local hardware — exposure to every device on the same WiFi or LAN. The agent becomes reachable only through authenticated channels. Cloudflare Zero Trust Access enforces authentication at the edge. Before a request is proxied to your tunnel (and therefore your server or Mac Mini), the user must authenticate through an identity provider — Google, GitHub, one-time pin via email, or any SAML/OIDC provider. Critical configuration for WebSocket agents: The SameSite=None and Binding Cookie settings are required for AI coding agents that use WebSocket connections. Without them, the browser's WebSocket upgrade request will fail the cookie check and the session will drop mid-conversation. This is a common misconfiguration that causes intermittent disconnections. What this prevents: Unauthorized access from anyone who does not possess valid identity credentials. Even if an attacker discovers the agent's URL, they see a Cloudflare login page — not the agent interface. Enable authentication on the agent's HTTP server itself as a secondary gate. Important caveat: When Zero Trust Access is active, enabling Basic Auth on the agent server can create an authentication loop (Access redirects on 401, server returns 401 before Access processes). The correct implementation is conditional: set the server password only when Zero Trust is not configured. When Zero Trust is active, it is the authentication layer. For VPS (Ubuntu/Debian): For Mac Mini / macOS: macOS does not need the same kernel hardening (it ships with ASLR, SIP, and Gatekeeper enabled). The priorities are different: Additional macOS-specific hardening: Post-deployment: Disable SSH password authentication on both VPS and macOS. Use key-only access: This layer is the one that defends against CVE-2026-22813 and supply chain attacks — the threats that bypass all network-level protection. It applies equally to VPS deployments and Mac Mini setups. MCP servers — now governed by the Linux Foundation with backing from Anthropic, OpenAI, Google, Microsoft, AWS, and Cloudflare — provide a standardized interface between AI agents and external tools. The critical security feature of MCP is that each server connection can be independently scoped: This is not behavioral guardrailing. The agent cannot prompt its way past these restrictions. The MCP server simply does not expose write operations to agents configured as read-only. The permission boundary is enforced at the infrastructure layer, not the prompt layer. For Mac Mini owners specifically: This layer is your primary defense against supply chain attacks. A malicious package installed by the agent can execute code with the agent's permissions. If the agent has unrestricted filesystem and shell access, the package has unrestricted filesystem and shell access. Scoped MCP permissions mean that even if the agent is tricked into installing a malicious package, the damage is bounded by the agent's configured permission set — not by the user's full system access. You just read 4,000 words of vulnerability analysis and remediation steps. Your AI coding agent — the one this article is about — can execute every one of them. Copy the block below. Paste it into your agent's chat. Say: "Do this." The agent will read the manifest, execute each step in order, stop when a condition isn't met, and ask you for credentials only when it needs them. It will not guess. It will not skip. This is how security advisories should work in 2026. Not "read this and figure it out" — but "read this and execute." This is the first security advisory we've published with an agent-executable remediation manifest. We believe every security disclosure that tells developers what to do should let their tools do it for them. We'll be publishing these with every advisory going forward. We built FORGE because we were setting up AI coding agent infrastructure for clients and kept solving the same security problems from scratch — every time. Cloudflare Tunnel configuration. Zero Trust access policies. WebSocket cookie conflicts. Kernel hardening. MCP server scoping. The same 1,000 lines of battle-tested bash with rollback on failure. FORGE implements all five layers described in this article as a single deployment script. One command. Under 10 minutes. The agent runs on your VPS, behind your tunnel, gated by your identity, hardened to CIS baselines, with MCP servers pre-configured and scoped. It is not a hosted service. You own the server. You own the code. You own the infrastructure. The $47 Developer Edition buys the architecture, security model, and deployment automation. Your VPS costs about $7/month. There is no recurring fee to us. We built it because the gap between "start the server" and "run the server securely" should not require 1,000 lines of infrastructure automation that every developer has to figure out from scratch. FORGE closes that gap. Hodge Luke is the founder of Hodge Luke Digital Intelligence Agency and the creator of FORGE — a security-hardened deployment platform for AI coding agents built on Cloudflare's edge network. FORGE implements the 5-layer defense-in-depth model described in this article as a one-command deployment. Hodge Luke | Two Guys and some Bots | forge.useacceda.com Templates let you quickly answer FAQs or store snippets for re-use. Hide child comments as well For further actions, you may consider blocking this person and/or reporting abuse
Agent-Executable Remediation Manifest
CVE-2026-22812 (CVSS 8.8) + CVE-2026-22813 (CVSS 9.6)
Source: Hodge Luke Digital Intelligence Agency
Target: Any VPS or macOS machine running an AI coding agent
INSTRUCTIONS FOR AGENT
Execute each step sequentially. Do not skip steps.STOP_IF conditions halt execution — explain why to the user and await instructions.ASK_USER directives require user input before proceeding — do not guess values.All commands must be run with appropriate privileges (sudo where indicated).Report the result of each step before moving to the next. ---
Step 0: Detect platformRun: uname -sIF output contains "Darwin" → SET PLATFORM=macosIF output contains "Linux" → SET PLATFORM=linuxREPORT: "Detected platform: [PLATFORM]" ---
Step 1: Check if an agent HTTP server is runningIF PLATFORM=linux: Run: ss -tlnp | grep -E ':(4096|3000|8080|8888) 'IF PLATFORM=macos: Run: lsof -i -P | grep -E ':(4096|3000|8080|8888) .*(LISTEN)' STOP_IF: No output (no agent server detected — this machine may not be affected)REPORT: "Found agent server listening on: [port and address]" IF output shows 0.0.0.0 or *: → REPORT: "WARNING: Agent is bound to allinterfaces — exposed to the network. Proceeding with remediation."IF output shows 127.0.0.1 only → REPORT: "Agent is bound to localhost only.Network exposure is limited. Continuing with hardening steps." ---
Step 2: Block the port immediatelyIF PLATFORM=linux: Run: sudo ufw status IF ufw is inactive: Run: sudo ufw default deny incoming Run: sudo ufw default allow outgoing Run: sudo ufw allow ssh Run: sudo ufw --force enable Run: sudo ufw deny [detected port from Step 1] Run: sudo ufw reload REPORT: "Firewall enabled. Port [port] blocked." IF PLATFORM=macos: Run: sudo /usr/libexec/ApplicationFirewall/socketfilterfw --getglobalstate IF firewall is disabled: Run: sudo /usr/libexec/ApplicationFirewall/socketfilterfw --setglobalstate on Run: sudo /usr/libexec/ApplicationFirewall/socketfilterfw --setblockall on Run: sudo /usr/libexec/ApplicationFirewall/socketfilterfw --setstealthmode on REPORT: "macOS firewall enabled. All incoming blocked. Stealth mode on." ---
Step 3: Force localhost bindingIF PLATFORM=linux: Check if agent is managed by systemd: Run: systemctl list-units --type=service | grep -i -E 'opencode|claw' IF found: REPORT: "Agent is running as systemd service: [service name]" ASK_USER: "Should I modify the service to bind to 127.0.0.1 only? (yes/no)" IF yes: Run: sudo mkdir -p /etc/systemd/system/[service].d Write override.conf with Environment="HOST=127.0.0.1" Run: sudo systemctl daemon-reload Run: sudo systemctl restart [service] IF PLATFORM=macos: REPORT: "On macOS, restart your agent with: --host 127.0.0.1" REPORT: "Example: opencode serve --host 127.0.0.1" ASK_USER: "What is the command you use to start your agent? I will provide the modified command with localhost binding." ---
Step 4: Install Cloudflare Tunnel (optional but recommended)ASK_USER: "Do you want to set up a Cloudflare Tunnel for secure remoteaccess? This requires a Cloudflare account. (yes/no)" STOP_IF: User says no (skip to Step 5) ASK_USER: "Please provide your Cloudflare API token with Zone:DNS:Edit andAccount:Cloudflare Tunnel:Edit permissions."ASK_USER: "What domain do you want to use for accessing the agent?(e.g., agent.yourdomain.com)" IF PLATFORM=linux: Run: curl -fsSL https://pkg.cloudflare.com/cloudflare-main.gpg \ | sudo gpg --dearmor -o /usr/share/keyrings/cloudflare.gpg Run: echo "deb [signed-by=/usr/share/keyrings/cloudflare.gpg] \ https://pkg.cloudflare.com/cloudflared $(lsb_release -cs) main" \ | sudo tee /etc/apt/sources.list.d/cloudflared.list Run: sudo apt update && sudo apt install -y cloudflared IF PLATFORM=macos: Run: brew install cloudflare/cloudflare/cloudflared Run: cloudflared tunnel loginRun: cloudflared tunnel create agent-tunnelWrite config.yml: tunnel: [tunnel-id] credentials-file: /root/.cloudflared/[tunnel-id].json ingress: - hostname: [user-provided domain] service: http://localhost:[detected port] - service: http_status:404Run: cloudflared tunnel route dns agent-tunnel [user-provided domain]Run: cloudflared tunnel run agent-tunnel REPORT: "Tunnel created. Agent accessible at https://[domain].No inbound ports required." ---
Step 5: Harden the hostIF PLATFORM=linux: Run: sudo apt install -y fail2ban Run: sudo systemctl enable fail2ban Write /etc/sysctl.d/99-agent-hardening.conf: net.ipv4.tcp_syncookies = 1 net.ipv4.conf.all.rp_filter = 1 net.ipv4.icmp_echo_ignore_broadcasts = 1 net.ipv4.conf.all.accept_redirects = 0 kernel.randomize_va_space = 2 net.ipv4.conf.all.log_martians = 1 Run: sudo sysctl --system Run: sudo apt install -y unattended-upgrades Run: sudo dpkg-reconfigure -plow unattended-upgrades REPORT: "Host hardened: fail2ban active, kernel parameters set, automatic security updates enabled." IF PLATFORM=macos: Run: sudo fdesetup status IF FileVault is off: REPORT: "FileVault (disk encryption) is disabled." ASK_USER: "Enable FileVault? This encrypts your entire disk. Requires restart. (yes/no)" IF yes: Run: sudo fdesetup enable Run: sudo softwareupdate --schedule on REPORT: "macOS hardened: firewall active, stealth mode on, automatic updates enabled." ---
Step 6: Disable SSH password authenticationIF PLATFORM=linux: Run: grep -E '^PasswordAuthentication' /etc/ssh/sshd_config IF set to yes: Run: sudo sed -i 's/^PasswordAuthentication yes/PasswordAuthentication no/' \ /etc/ssh/sshd_config Run: sudo systemctl restart sshd REPORT: "SSH password authentication disabled. Key-only access." IF PLATFORM=macos: Run: sudo systemsetup -getremotelogin IF Remote Login is on: ASK_USER: "SSH is enabled. Do you need remote SSH access to this machine? (yes/no)" IF no: Run: sudo systemsetup -setremotelogin off REPORT: "SSH disabled entirely." IF yes: Run: sudo sed -i '' 's/^#PasswordAuthentication yes/PasswordAuthentication no/' \ /etc/ssh/sshd_config Run: sudo launchctl stop com.openssh.sshd Run: sudo launchctl start com.openssh.sshd REPORT: "SSH password authentication disabled. Key-only access." ---
Step 7: Verify remediationIF PLATFORM=linux: Run: ss -tlnp | grep -E ':(4096|3000|8080|8888) ' Run: sudo ufw status verbose Run: systemctl is-active fail2ban IF PLATFORM=macos: Run: lsof -i -P | grep -E ':(4096|3000|8080|8888) .*(LISTEN)' Run: sudo /usr/libexec/ApplicationFirewall/socketfilterfw --getglobalstate Run: sudo fdesetup status REPORT: "Remediation complete. Summary:"REPORT: "- Agent bind address: [current binding]"REPORT: "- Firewall: [status]"REPORT: "- SSH hardening: [status]"REPORT: "- Host hardening: [status]"REPORT: "- Tunnel: [configured/not configured]"REPORT: "- Disk encryption: [status, macOS only]" ---
What this manifest does NOT cover (requires manual review)- Layer 2 (Zero Trust Access): Requires Cloudflare dashboard configuration for identity provider integration. See the full article for policy setup.- Layer 5 (MCP permission scoping): Requires agent-specific configuration based on your tool chain. See the full article for examples.- Supply chain audit: Review installed packages manually. Run: pip list / npm list -g / cargo install --list
- Credential rotation: If your agent was exposed, assume all environment variables, SSH keys, and API tokens accessible to the agent process are compromised. Rotate them.
Agent-Executable Remediation Manifest
CVE-2026-22812 (CVSS 8.8) + CVE-2026-22813 (CVSS 9.6)
Source: Hodge Luke Digital Intelligence Agency
Target: Any VPS or macOS machine running an AI coding agent
INSTRUCTIONS FOR AGENT
Execute each step sequentially. Do not skip steps.STOP_IF conditions halt execution — explain why to the user and await instructions.ASK_USER directives require user input before proceeding — do not guess values.All commands must be run with appropriate privileges (sudo where indicated).Report the result of each step before moving to the next. ---
Step 0: Detect platformRun: uname -sIF output contains "Darwin" → SET PLATFORM=macosIF output contains "Linux" → SET PLATFORM=linuxREPORT: "Detected platform: [PLATFORM]" ---
Step 1: Check if an agent HTTP server is runningIF PLATFORM=linux: Run: ss -tlnp | grep -E ':(4096|3000|8080|8888) 'IF PLATFORM=macos: Run: lsof -i -P | grep -E ':(4096|3000|8080|8888) .*(LISTEN)' STOP_IF: No output (no agent server detected — this machine may not be affected)REPORT: "Found agent server listening on: [port and address]" IF output shows 0.0.0.0 or *: → REPORT: "WARNING: Agent is bound to allinterfaces — exposed to the network. Proceeding with remediation."IF output shows 127.0.0.1 only → REPORT: "Agent is bound to localhost only.Network exposure is limited. Continuing with hardening steps." ---
Step 2: Block the port immediatelyIF PLATFORM=linux: Run: sudo ufw status IF ufw is inactive: Run: sudo ufw default deny incoming Run: sudo ufw default allow outgoing Run: sudo ufw allow ssh Run: sudo ufw --force enable Run: sudo ufw deny [detected port from Step 1] Run: sudo ufw reload REPORT: "Firewall enabled. Port [port] blocked." IF PLATFORM=macos: Run: sudo /usr/libexec/ApplicationFirewall/socketfilterfw --getglobalstate IF firewall is disabled: Run: sudo /usr/libexec/ApplicationFirewall/socketfilterfw --setglobalstate on Run: sudo /usr/libexec/ApplicationFirewall/socketfilterfw --setblockall on Run: sudo /usr/libexec/ApplicationFirewall/socketfilterfw --setstealthmode on REPORT: "macOS firewall enabled. All incoming blocked. Stealth mode on." ---
Step 3: Force localhost bindingIF PLATFORM=linux: Check if agent is managed by systemd: Run: systemctl list-units --type=service | grep -i -E 'opencode|claw' IF found: REPORT: "Agent is running as systemd service: [service name]" ASK_USER: "Should I modify the service to bind to 127.0.0.1 only? (yes/no)" IF yes: Run: sudo mkdir -p /etc/systemd/system/[service].d Write override.conf with Environment="HOST=127.0.0.1" Run: sudo systemctl daemon-reload Run: sudo systemctl restart [service] IF PLATFORM=macos: REPORT: "On macOS, restart your agent with: --host 127.0.0.1" REPORT: "Example: opencode serve --host 127.0.0.1" ASK_USER: "What is the command you use to start your agent? I will provide the modified command with localhost binding." ---
Step 4: Install Cloudflare Tunnel (optional but recommended)ASK_USER: "Do you want to set up a Cloudflare Tunnel for secure remoteaccess? This requires a Cloudflare account. (yes/no)" STOP_IF: User says no (skip to Step 5) ASK_USER: "Please provide your Cloudflare API token with Zone:DNS:Edit andAccount:Cloudflare Tunnel:Edit permissions."ASK_USER: "What domain do you want to use for accessing the agent?(e.g., agent.yourdomain.com)" IF PLATFORM=linux: Run: curl -fsSL https://pkg.cloudflare.com/cloudflare-main.gpg \ | sudo gpg --dearmor -o /usr/share/keyrings/cloudflare.gpg Run: echo "deb [signed-by=/usr/share/keyrings/cloudflare.gpg] \ https://pkg.cloudflare.com/cloudflared $(lsb_release -cs) main" \ | sudo tee /etc/apt/sources.list.d/cloudflared.list Run: sudo apt update && sudo apt install -y cloudflared IF PLATFORM=macos: Run: brew install cloudflare/cloudflare/cloudflared Run: cloudflared tunnel loginRun: cloudflared tunnel create agent-tunnelWrite config.yml: tunnel: [tunnel-id] credentials-file: /root/.cloudflared/[tunnel-id].json ingress: - hostname: [user-provided domain] service: http://localhost:[detected port] - service: http_status:404Run: cloudflared tunnel route dns agent-tunnel [user-provided domain]Run: cloudflared tunnel run agent-tunnel REPORT: "Tunnel created. Agent accessible at https://[domain].No inbound ports required." ---
Step 5: Harden the hostIF PLATFORM=linux: Run: sudo apt install -y fail2ban Run: sudo systemctl enable fail2ban Write /etc/sysctl.d/99-agent-hardening.conf: net.ipv4.tcp_syncookies = 1 net.ipv4.conf.all.rp_filter = 1 net.ipv4.icmp_echo_ignore_broadcasts = 1 net.ipv4.conf.all.accept_redirects = 0 kernel.randomize_va_space = 2 net.ipv4.conf.all.log_martians = 1 Run: sudo sysctl --system Run: sudo apt install -y unattended-upgrades Run: sudo dpkg-reconfigure -plow unattended-upgrades REPORT: "Host hardened: fail2ban active, kernel parameters set, automatic security updates enabled." IF PLATFORM=macos: Run: sudo fdesetup status IF FileVault is off: REPORT: "FileVault (disk encryption) is disabled." ASK_USER: "Enable FileVault? This encrypts your entire disk. Requires restart. (yes/no)" IF yes: Run: sudo fdesetup enable Run: sudo softwareupdate --schedule on REPORT: "macOS hardened: firewall active, stealth mode on, automatic updates enabled." ---
Step 6: Disable SSH password authenticationIF PLATFORM=linux: Run: grep -E '^PasswordAuthentication' /etc/ssh/sshd_config IF set to yes: Run: sudo sed -i 's/^PasswordAuthentication yes/PasswordAuthentication no/' \ /etc/ssh/sshd_config Run: sudo systemctl restart sshd REPORT: "SSH password authentication disabled. Key-only access." IF PLATFORM=macos: Run: sudo systemsetup -getremotelogin IF Remote Login is on: ASK_USER: "SSH is enabled. Do you need remote SSH access to this machine? (yes/no)" IF no: Run: sudo systemsetup -setremotelogin off REPORT: "SSH disabled entirely." IF yes: Run: sudo sed -i '' 's/^#PasswordAuthentication yes/PasswordAuthentication no/' \ /etc/ssh/sshd_config Run: sudo launchctl stop com.openssh.sshd Run: sudo launchctl start com.openssh.sshd REPORT: "SSH password authentication disabled. Key-only access." ---
Step 7: Verify remediationIF PLATFORM=linux: Run: ss -tlnp | grep -E ':(4096|3000|8080|8888) ' Run: sudo ufw status verbose Run: systemctl is-active fail2ban IF PLATFORM=macos: Run: lsof -i -P | grep -E ':(4096|3000|8080|8888) .*(LISTEN)' Run: sudo /usr/libexec/ApplicationFirewall/socketfilterfw --getglobalstate Run: sudo fdesetup status REPORT: "Remediation complete. Summary:"REPORT: "- Agent bind address: [current binding]"REPORT: "- Firewall: [status]"REPORT: "- SSH hardening: [status]"REPORT: "- Host hardening: [status]"REPORT: "- Tunnel: [configured/not configured]"REPORT: "- Disk encryption: [status, macOS only]" ---
What this manifest does NOT cover (requires manual review)- Layer 2 (Zero Trust Access): Requires Cloudflare dashboard configuration for identity provider integration. See the full article for policy setup.- Layer 5 (MCP permission scoping): Requires agent-specific configuration based on your tool chain. See the full article for examples.- Supply chain audit: Review installed packages manually. Run: pip list / npm list -g / cargo install --list
- Credential rotation: If your agent was exposed, assume all environment variables, SSH keys, and API tokens accessible to the agent process are compromised. Rotate them.
Agent-Executable Remediation Manifest
CVE-2026-22812 (CVSS 8.8) + CVE-2026-22813 (CVSS 9.6)
Source: Hodge Luke Digital Intelligence Agency
Target: Any VPS or macOS machine running an AI coding agent
INSTRUCTIONS FOR AGENT
Execute each step sequentially. Do not skip steps.STOP_IF conditions halt execution — explain why to the user and await instructions.ASK_USER directives require user input before proceeding — do not guess values.All commands must be run with appropriate privileges (sudo where indicated).Report the result of each step before moving to the next. ---
