Severity by source
CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:A/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
AV:L and UI:R reflect workspace-delivery and mandatory active AI chat interaction; AC:H captures prompt injection success uncertainty beyond attacker control.
Primary rating from Vendor (eclipse).
CVSS VectorVendor: eclipse
CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:A/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
2Blast Radius
ecosystem impact- 8 npm packages depend on @theia/ai-chat (7 direct, 1 indirect)
- 7 npm packages depend on @theia/ai-chat-ui (7 direct, 0 indirect)
- 27 npm packages depend on @theia/ai-core (21 direct, 6 indirect)
Ecosystem-wide dependent count for version 1.71.0 and other introduced versions.
DescriptionCVE.org
In Eclipse Theia versions prior to 1.71.0, the AI chat rendered Markdown image tags from AI responses, triggering HTTP requests to arbitrary external URLs without restriction. Combined with prompt injection in a malicious workspace, an attacker could induce the AI agent to construct image URLs encoding sensitive information from the workspace or conversation context, exfiltrating it to attacker-controlled servers. The workspace trust enforcement introduced in v1.71.0 mitigates the documented attack chain by disabling AI features in untrusted workspaces.
AnalysisAI
Unconstrained Markdown image rendering in Eclipse Theia's AI chat component, in all versions prior to 1.71.0, enables silent data exfiltration when combined with prompt injection via a malicious workspace. An attacker who delivers a crafted workspace can inject instructions into the AI agent's context, causing it to construct Markdown image tags whose URLs encode sensitive workspace or conversation data; when the IDE renders these images, it issues HTTP GET requests transmitting that data to an attacker-controlled server. …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | Exploitation requires three concurrent conditions: (1) the victim must open a workspace controlled or influenced by the attacker - this is the local attack vector (AV:L) and is typically satisfied by cloning a malicious repository or opening a shared workspace archive; (2) the victim must actively interact with the AI chat feature while that workspace is open (UI:A), meaning the attack cannot execute silently on workspace open alone; (3) the AI chat feature must be enabled and functional, which is a non-default prerequisite only in Theia deployments with AI integration configured. … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | The vendor-assigned CVSS 4.0 score of 6.7 with vector AV:L/AC:L/AT:N/PR:N/UI:A/VC:H/VI:N/VA:N accurately characterizes the attack surface: local delivery (victim opens a workspace), no authentication barrier for the attacker, but mandatory active user interaction with the AI chat feature. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | An attacker publishes a public Git repository containing a README or workspace configuration file embedding a prompt injection payload - natural-language text instructing the AI agent to summarize all visible file contents and encode the summary into a Markdown image URL pointing to a server the attacker controls. When a developer clones this repository and opens it in an unpatched Eclipse Theia instance, then asks the AI chat a routine question, the injected instruction steers the model's response to include the crafted image tag; Theia renders the Markdown and issues an HTTP GET request, delivering workspace-derived data to the attacker's server. … |
| Remediation | The primary fix is to upgrade Eclipse Theia to version 1.71.0 or later, which introduces workspace trust enforcement that disables AI features for workspaces not explicitly marked as trusted, eliminating the documented attack chain. … Detailed patch versions, workarounds, and compensating controls in full report. |
Threat intelligence, references, and detailed analysis are available after sign-in.
More in Eclipse Theia
View allCross-site WebSocket hijacking in Eclipse Theia's browser backend (versions 1.8.1 and later) lets a foreign-origin web p
Server-side request forgery in Eclipse Theia (version 1.26.0 and later) lets a low-privileged user connected to the /ser
Arbitrary command execution in Eclipse Theia versions prior to 1.69.0 allows a malicious repository to run host commands
Indirect prompt injection in Eclipse Theia before 1.71.0 allows a malicious repository to automatically override the AI
Indirect prompt injection in Eclipse Theia versions prior to 1.71.0 allows attackers who control a workspace's filesyste
Same technique Information Disclosure
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-37900
GHSA-qwjm-9c66-w4q4