Skip to main content

Eclipse Theia CVE-2026-46580

| EUVDEUVD-2026-37899 HIGH
Inclusion of Functionality from Untrusted Control Sphere (CWE-829)
2026-06-18 eclipse GHSA-m973-pr9r-hp2w
8.4
CVSS 4.0 · Vendor: eclipse
Share

Severity by source

Vendor (eclipse) PRIMARY
8.4 HIGH
CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:A/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
vuln.today AI
8.6 HIGH

Attack lands via a local workspace file (AV:L), no privileges needed (PR:N), victim must open the workspace (UI:R); attacker-controlled prompt pivots to task-execution and exfiltration outside the IDE process, justifying S:C and full C/I/A:H.

3.1 AV:L/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H
4.0 AV:L/AC:L/AT:N/PR:N/UI:A/VC:H/VI:H/VA:H/SC:L/SI:L/SA:N

Primary rating from Vendor (eclipse).

CVSS VectorVendor: eclipse

CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:A/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Local
Attack Complexity
Low
Privileges Required
None
User Interaction
A
Scope
X

Lifecycle Timeline

2
Patch available
Jun 18, 2026 - 17:02 EUVD
Analysis Generated
Jun 18, 2026 - 15:56 vuln.today

Blast Radius

ecosystem impact
† from your stack dependencies † transitive graph · vuln.today resolves 4-path depth
  • 8 npm packages depend on @theia/ai-chat (7 direct, 1 indirect)
  • 7 npm packages depend on @theia/ai-chat-ui (7 direct, 0 indirect)
  • 27 npm packages depend on @theia/ai-core (21 direct, 6 indirect)

Ecosystem-wide dependent count for version 1.71.0 and other introduced versions.

DescriptionCVE.org

In Eclipse Theia versions prior to 1.71.0, files matching the pattern .prompts/*.prompttemplate in a workspace were automatically loaded and could override or extend the AI agent's system prompts. An attacker could craft a malicious repository containing prompt template files that, when the workspace was opened in Theia, replaced the AI's system instructions with attacker-controlled content (indirect prompt injection). Combined with other AI chat features available in untrusted workspaces, this enabled attack chains leading to data exfiltration via Markdown image rendering or arbitrary command execution via task definitions.

AnalysisAI

Indirect prompt injection in Eclipse Theia before 1.71.0 allows a malicious repository to automatically override the AI agent's system prompts when a victim opens the workspace, by placing files under .prompts/*.prompttemplate that Theia auto-loads. Combined with built-in AI chat features, the hijacked prompt can chain to data exfiltration via Markdown image rendering or arbitrary command execution via task definitions. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Publish malicious repository with .prompts template
Delivery
Victim clones and opens workspace in Theia
Exploit
Theia auto-loads .prompttemplate as system prompt
Execution
Victim invokes AI chat agent
Persist
Hijacked prompt triggers Markdown image fetch or task execution
Impact
Secrets exfiltrated or commands run on developer host

Vulnerability AssessmentAI

Exploitation Exploitation requires the victim to open an attacker-supplied workspace containing files at the path .prompts/*.prompttemplate in a Theia version prior to 1.71.0, with the AI agent / AI chat feature enabled and used after the workspace is opened. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The CVSS 4.0 vector (AV:L/AC:L/AT:N/PR:N/UI:A) with 8.4 severity reflects high vulnerable-system C/I/A impact gated by user interaction - specifically, the victim must open the malicious workspace, which is the normal operating mode for an IDE and therefore a realistic precondition. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An attacker publishes an attractive-looking repository (for example, a library fix, a CTF challenge, or a job-interview take-home) that contains a .prompts/system.prompttemplate file. When a developer using a vulnerable Theia-based IDE clones and opens the project, Theia silently loads the template and replaces the AI agent's system instructions with attacker-controlled directives that, on the next AI chat interaction, either render a Markdown image whose URL embeds workspace secrets or invoke a malicious task definition to execute commands on the developer's host.
Remediation Vendor-released patch: Eclipse Theia 1.71.0 - upgrade to 1.71.0 or later as the primary fix, per the Eclipse advisory at https://gitlab.eclipse.org/security/cve-assignment/-/work_items/114. … Detailed patch versions, workarounds, and compensating controls in full report.

Recommended ActionAI

24 hours: Restrict users from opening repositories from untrusted sources and disable AI chat features if not operationally critical. …

Sign in for detailed remediation steps and compensating controls.

Threat intelligence, references, and detailed analysis are available after sign-in.

Share

CVE-2026-46580 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy