Severity by source
CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:A/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Malicious workspace must reach the local filesystem (AV:L) and the user must open it / run a task (UI:R); no auth needed (PR:N); arbitrary command execution as user gives full CIA impact within the user's scope.
Primary rating from Vendor (eclipse).
CVSS VectorVendor: eclipse
CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:A/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
2Blast Radius
ecosystem impact- 8 npm packages depend on @theia/debug (4 direct, 4 indirect)
- 9 npm packages depend on @theia/task (3 direct, 6 indirect)
- 57 npm packages depend on @theia/workspace (35 direct, 22 indirect)
Ecosystem-wide dependent count for version 1.69.0 and other introduced versions.
DescriptionCVE.org
In Eclipse Theia versions prior to 1.69.0, custom task definitions in workspace files (e.g. .theia/tasks.json, .vscode/tasks.json) could be executed without requiring workspace trust. An attacker could craft a malicious repository that, when cloned and opened in Theia, leads to execution of arbitrary commands with the user's privileges. In combination with AI chat features and a workspace .theia/settings.json that disabled tool confirmation, this could be triggered automatically by sending a message in the AI chat.
AnalysisAI
Arbitrary command execution in Eclipse Theia versions prior to 1.69.0 allows a malicious repository to run host commands with the user's privileges when its workspace is opened, because custom task definitions in .theia/tasks.json or .vscode/tasks.json bypass the workspace trust gate. When the victim has also enabled AI chat with tool confirmation disabled via a workspace .theia/settings.json, the chain triggers automatically on the first chat message. …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | Requires the victim to open an attacker-controlled workspace in Eclipse Theia <1.69.0 that contains a crafted .theia/tasks.json or .vscode/tasks.json defining a custom task; the user must perform an action that runs the task (UI:A in the CVSS 4.0 vector). … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | The vendor CVSS 4.0 score of 8.4 (AV:L/AC:L/PR:N/UI:A/VC:H/VI:H/VA:H) accurately reflects a high-impact but interaction-dependent flaw: code execution as the logged-in user, requiring the victim to clone and open a malicious workspace. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | An attacker publishes an attractive-looking repository (e.g., a CTF writeup, library fork, or job-interview take-home) containing a .theia/tasks.json with a malicious shell task and, optionally, a .theia/settings.json that disables AI tool confirmation. A developer clones the repo and opens it in Theia; either Theia auto-runs a default task or the attacker's social-engineering README prompts a benign-looking action that fires the task, executing commands as the user. … |
| Remediation | Vendor-released patch: Eclipse Theia 1.69.0 - upgrade to 1.69.0 or later, which enforces workspace trust before honoring custom task definitions from workspace files. … Detailed patch versions, workarounds, and compensating controls in full report. |
Recommended ActionAI
Within 24 hours: Conduct an asset inventory to identify all Eclipse Theia installations with versions < 1.69.0. …
Sign in for detailed remediation steps and compensating controls.
Threat intelligence, references, and detailed analysis are available after sign-in.
More in Eclipse Theia
View allCross-site WebSocket hijacking in Eclipse Theia's browser backend (versions 1.8.1 and later) lets a foreign-origin web p
Server-side request forgery in Eclipse Theia (version 1.26.0 and later) lets a low-privileged user connected to the /ser
Indirect prompt injection in Eclipse Theia before 1.71.0 allows a malicious repository to automatically override the AI
Indirect prompt injection in Eclipse Theia versions prior to 1.71.0 allows attackers who control a workspace's filesyste
Unconstrained Markdown image rendering in Eclipse Theia's AI chat component, in all versions prior to 1.71.0, enables si
Share
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-37901
GHSA-g9jw-92q7-g7fj