Skip to main content

Eclipse Theia CVE-2026-22551

| EUVDEUVD-2026-37900 MEDIUM
Insertion of Sensitive Information Into Sent Data (CWE-201)
2026-06-18 eclipse GHSA-qwjm-9c66-w4q4
6.7
CVSS 4.0 · Vendor: eclipse
Share

Severity by source

Vendor (eclipse) PRIMARY
6.7 MEDIUM
CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:A/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
vuln.today AI
4.7 MEDIUM

AV:L and UI:R reflect workspace-delivery and mandatory active AI chat interaction; AC:H captures prompt injection success uncertainty beyond attacker control.

3.1 AV:L/AC:H/PR:N/UI:R/S:U/C:H/I:N/A:N
4.0 AV:L/AC:H/AT:N/PR:N/UI:A/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N

Primary rating from Vendor (eclipse).

CVSS VectorVendor: eclipse

CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:A/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Local
Attack Complexity
Low
Privileges Required
None
User Interaction
A
Scope
X

Lifecycle Timeline

2
Patch available
Jun 18, 2026 - 17:02 EUVD
Analysis Generated
Jun 18, 2026 - 16:06 vuln.today

Blast Radius

ecosystem impact
† from your stack dependencies † transitive graph · vuln.today resolves 4-path depth
  • 8 npm packages depend on @theia/ai-chat (7 direct, 1 indirect)
  • 7 npm packages depend on @theia/ai-chat-ui (7 direct, 0 indirect)
  • 27 npm packages depend on @theia/ai-core (21 direct, 6 indirect)

Ecosystem-wide dependent count for version 1.71.0 and other introduced versions.

DescriptionCVE.org

In Eclipse Theia versions prior to 1.71.0, the AI chat rendered Markdown image tags from AI responses, triggering HTTP requests to arbitrary external URLs without restriction. Combined with prompt injection in a malicious workspace, an attacker could induce the AI agent to construct image URLs encoding sensitive information from the workspace or conversation context, exfiltrating it to attacker-controlled servers. The workspace trust enforcement introduced in v1.71.0 mitigates the documented attack chain by disabling AI features in untrusted workspaces.

AnalysisAI

Unconstrained Markdown image rendering in Eclipse Theia's AI chat component, in all versions prior to 1.71.0, enables silent data exfiltration when combined with prompt injection via a malicious workspace. An attacker who delivers a crafted workspace can inject instructions into the AI agent's context, causing it to construct Markdown image tags whose URLs encode sensitive workspace or conversation data; when the IDE renders these images, it issues HTTP GET requests transmitting that data to an attacker-controlled server. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Recon
Deliver malicious workspace to victim via repository or archive
Delivery
Victim opens workspace in Eclipse Theia with AI chat enabled
Exploit
Victim interacts with AI chat in context of malicious workspace
Install
Prompt injection payload steers AI to construct exfiltration image URL
C2
AI response contains Markdown image tag with encoded sensitive data
Execute
Theia renders Markdown image, issuing HTTP GET to attacker server
Impact
Attacker receives workspace or conversation secrets

Vulnerability AssessmentAI

Exploitation Exploitation requires three concurrent conditions: (1) the victim must open a workspace controlled or influenced by the attacker - this is the local attack vector (AV:L) and is typically satisfied by cloning a malicious repository or opening a shared workspace archive; (2) the victim must actively interact with the AI chat feature while that workspace is open (UI:A), meaning the attack cannot execute silently on workspace open alone; (3) the AI chat feature must be enabled and functional, which is a non-default prerequisite only in Theia deployments with AI integration configured. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The vendor-assigned CVSS 4.0 score of 6.7 with vector AV:L/AC:L/AT:N/PR:N/UI:A/VC:H/VI:N/VA:N accurately characterizes the attack surface: local delivery (victim opens a workspace), no authentication barrier for the attacker, but mandatory active user interaction with the AI chat feature. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An attacker publishes a public Git repository containing a README or workspace configuration file embedding a prompt injection payload - natural-language text instructing the AI agent to summarize all visible file contents and encode the summary into a Markdown image URL pointing to a server the attacker controls. When a developer clones this repository and opens it in an unpatched Eclipse Theia instance, then asks the AI chat a routine question, the injected instruction steers the model's response to include the crafted image tag; Theia renders the Markdown and issues an HTTP GET request, delivering workspace-derived data to the attacker's server. …
Remediation The primary fix is to upgrade Eclipse Theia to version 1.71.0 or later, which introduces workspace trust enforcement that disables AI features for workspaces not explicitly marked as trusted, eliminating the documented attack chain. … Detailed patch versions, workarounds, and compensating controls in full report.

Threat intelligence, references, and detailed analysis are available after sign-in.

Share

CVE-2026-22551 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy