๐Ÿ” CVE Alert

CVE-2026-10054

HIGH 8.8
CVSS Score
8.8
EPSS Score
0.0%
EPSS Percentile
0th

In affected versions of Eclipse Theia (1.8.1 and later), the browser backend exposes privileged terminal RPC over WebSocket (/services/shell-terminal, /services/terminals/:id) without service-level authentication. WebSocket origin validation in @theia/core is fail-open: connections are accepted when the Origin header is missing or when no THEIA_HOSTS allowlist is configured (the default). The Socket.IO integration additionally replaces the real Origin header with a client-supplied fix-origin header that an attacker can control or omit. As a result, a foreign-origin web page visited by a user with a running Theia instance can open the /services WebSocket namespace, invoke terminal creation, attach to the resulting terminal data channel, execute arbitrary OS commands, and read their output. This affects both local developer setups (drive-by attack) and hosted or tunneled deployments without strong external authentication. A fix is in development that enforces same-origin validation by default, removes trust in the fix-origin header, gates HTTP and WebSocket access on a SameSite=Strict; HttpOnly connection-token cookie, and sanitizes shell terminal creation options.

CWE CWE-1385 CWE-306
Vendor eclipse foundation
Product eclipse theia
Published Jul 3, 2026
Stay Ahead of the Next One

Get instant alerts for eclipse foundation eclipse theia

Be the first to know when new high vulnerabilities affecting eclipse foundation eclipse theia are published โ€” delivered to Slack, Telegram or Discord.

Get Free Alerts โ†’ Free ยท No credit card ยท 60 sec setup

CVSS v3 Breakdown

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
Required
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High

Affected Versions

Eclipse Foundation / Eclipse Theia
1.8.1 < 1.73.0

References

NVD โ†— CVE.org โ†— EPSS Data โ†—
github.com: https://github.com/eclipse-theia/theia/security/advisories/GHSA-78g8-vm3p-97c6 gitlab.eclipse.org: https://gitlab.eclipse.org/security/vulnerability-reports/-/work_items/376

Credits

๐Ÿ” Anwar Ayoob