[VENDOR] Cross-session data leakage via OpenCode Zen — public disclosure #1
Description
On April 2, 2026, I observed a critical tenant isolation failure while using the mimo-v2-pro-free model via OpenCode Zen. Another user's session response payload — including generated content reflecting their prompt instructions, project structure, design specifications, and a constructed identity profile — was streamed into my local agent session and executed without my instigation.
The full incident report is in this repository: https://github.com/nexusrootlab/incident
A summary of the impacts observed:
- Privacy breach (CWE-200 / CWE-488): Another user's session response — reflecting their raw prompt context — was delivered to my machine in plaintext
- Integrity failure: My local agent acted on the foreign instructions, attempting to create directories and write files to my filesystem
- Resource exhaustion: The foreign payload consumed a substantial portion of my token quota for the session; I subsequently hit the rate limit
The forensic output the agent generated from the leaked payload is preserved at https://github.com/nexusrootlab/website.
The raw session log is at https://github.com/nexusrootlab/incident/blob/main/session.log.
I was unable to identify a responsible disclosure channel for Anomaly — no security contact, security policy, or bug bounty programme was listed. This repository was created as a result, and this issue is the formal point of contact for your response.
I registered the nexusrootlab GitHub namespace immediately upon seeing the output. The leaked session appeared to belong to a real project. I do not know how many other users received this payload. If you are able to determine the scope and notify affected users, I would strongly encourage you to do so.
I am happy to provide any additional information that would assist your investigation.