Skip to content

security: OPENCODE_SERVER_PASSWORD is kept in process env post consumption #14567

Open
#14568
Open
security: OPENCODE_SERVER_PASSWORD is kept in process env post consumption#14567
#14568
Assignees
rekram1-node
Labels
bugSomething isn't workingcoreAnything pertaining to core functionality of the application (opencode server stuff)
@judepereira

Description

@judepereira
judepereira
opened on Feb 21, 2026

Description

OPENCODE_SERVER_PASSWORD continues to be stick around in the process's env. When running headless in docker, the only way to set OPENCODE_SERVER_PASSWORD is to put it in the env at start, but this should be removed once consumed, as a security measure to avoid potential future leakage into spawned processes.

Plugins

No response

OpenCode version

v1.2.10

Steps to reproduce

No response

Screenshot and/or share link

No response

Operating System

Docker

Terminal

No response

Metadata

Metadata

Assignees

Labels

bugSomething isn't workingcoreAnything pertaining to core functionality of the application (opencode server stuff)

Type

No type

Fields

No fields configured for issues without a type.

Projects

No projects

Milestone

No milestone

Relationships

None yet

Development

No branches or pull requests

Issue actions