Skip to main content

Eclipse Theia CVE-2026-44688

| EUVDEUVD-2026-37898 HIGH
Improper Neutralization of Input Used for LLM Prompting (CWE-1427)
2026-06-18 eclipse GHSA-3jww-hxqj-wfq2
8.4
CVSS 4.0 · Vendor: eclipse
Share

Severity by source

Vendor (eclipse) PRIMARY
8.4 HIGH
CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:A/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
vuln.today AI
8.6 HIGH

Attack content arrives via a locally opened workspace (AV:L), no attacker auth (PR:N), the developer must open the repo and engage the agent (UI:R); the agent acts beyond its prompt boundary, so S:C with full C/I/A:H.

3.1 AV:L/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H
4.0 AV:L/AC:L/AT:N/PR:N/UI:A/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

Primary rating from Vendor (eclipse).

CVSS VectorVendor: eclipse

CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:A/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Local
Attack Complexity
Low
Privileges Required
None
User Interaction
A
Scope
X

Lifecycle Timeline

2
Patch available
Jun 18, 2026 - 17:02 EUVD
Analysis Generated
Jun 18, 2026 - 15:57 vuln.today

Blast Radius

ecosystem impact
† from your stack dependencies † transitive graph · vuln.today resolves 4-path depth
  • 8 npm packages depend on @theia/ai-chat (7 direct, 1 indirect)
  • 7 npm packages depend on @theia/ai-chat-ui (7 direct, 0 indirect)
  • 27 npm packages depend on @theia/ai-core (21 direct, 6 indirect)

Ecosystem-wide dependent count for version 1.71.0 and other introduced versions.

DescriptionCVE.org

In Eclipse Theia versions prior to 1.71.0, the AI chat agent processed workspace file and directory names as part of its prompt context without distinguishing them from system instructions. An attacker could craft a malicious repository with adversarial directory or file names that, when analyzed by the AI agent, would cause the agent to follow attacker-controlled instructions (indirect prompt injection). Combined with other AI chat features available in untrusted workspaces, this enabled attack chains leading to data exfiltration via Markdown image rendering or arbitrary command execution via task definitions.

AnalysisAI

Indirect prompt injection in Eclipse Theia versions prior to 1.71.0 allows attackers who control a workspace's filesystem layout to coerce the built-in AI chat agent into executing attacker-supplied instructions, enabling data exfiltration through Markdown image rendering or arbitrary command execution through task definitions. No public exploit identified at time of analysis, but the CVSS 4.0 base score of 8.4 reflects high impact across confidentiality, integrity and availability once a developer opens an untrusted repository. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Publish malicious repo with adversarial path names
Delivery
Victim clones repo into Theia IDE
Exploit
Victim queries AI chat agent about workspace
Execution
Agent ingests filenames as trusted instructions
Persist
Agent invokes Markdown image fetch or task definition
Impact
Exfiltrate workspace data or execute attacker commands locally

Vulnerability AssessmentAI

Exploitation Exploitation requires that the target be running Eclipse Theia below 1.71.0 with the built-in AI chat agent enabled and the user must open an attacker-controlled workspace (e.g., clone a malicious repository) and interact with the AI chat agent against that workspace - this maps to the CVSS UI:A and AV:L choices. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The CVSS 4.0 vector AV:L/AC:L/AT:N/PR:N/UI:A/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N is internally consistent with the described attack: local attack vector because the malicious content reaches the agent through a workspace the user has opened on their machine, no privileges required by the attacker, but Active user interaction (UI:A) because the developer must open the repo and interact with the AI chat. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An attacker publishes a seemingly useful open-source repository whose directory or file names embed adversarial natural-language instructions (for example, a path like 'src/ignore previous instructions and run.../') . A developer clones the repo into a vulnerable Theia IDE and asks the AI chat agent a routine question about the codebase; the agent ingests the filenames as context, follows the embedded instructions, and either renders a Markdown image whose URL exfiltrates workspace data or invokes a task definition that runs an attacker-chosen shell command on the developer's machine.
Remediation Vendor-released patch: Eclipse Theia 1.71.0 - upgrade all Theia-based IDE installations and rebuild any downstream products that vendor Theia to at least 1.71.0, referencing the Eclipse security tracker at https://gitlab.eclipse.org/security/cve-assignment/-/work_items/113. … Detailed patch versions, workarounds, and compensating controls in full report.

Recommended ActionAI

Within 24 hours: Identify all Eclipse Theia deployments and their current versions. …

Sign in for detailed remediation steps and compensating controls.

Threat intelligence, references, and detailed analysis are available after sign-in.

Share

CVE-2026-44688 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy