Severity by source
CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:A/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack lands via a local workspace file (AV:L), no privileges needed (PR:N), victim must open the workspace (UI:R); attacker-controlled prompt pivots to task-execution and exfiltration outside the IDE process, justifying S:C and full C/I/A:H.
Primary rating from Vendor (eclipse).
CVSS VectorVendor: eclipse
CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:A/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
2Blast Radius
ecosystem impact- 8 npm packages depend on @theia/ai-chat (7 direct, 1 indirect)
- 7 npm packages depend on @theia/ai-chat-ui (7 direct, 0 indirect)
- 27 npm packages depend on @theia/ai-core (21 direct, 6 indirect)
Ecosystem-wide dependent count for version 1.71.0 and other introduced versions.
DescriptionCVE.org
In Eclipse Theia versions prior to 1.71.0, files matching the pattern .prompts/*.prompttemplate in a workspace were automatically loaded and could override or extend the AI agent's system prompts. An attacker could craft a malicious repository containing prompt template files that, when the workspace was opened in Theia, replaced the AI's system instructions with attacker-controlled content (indirect prompt injection). Combined with other AI chat features available in untrusted workspaces, this enabled attack chains leading to data exfiltration via Markdown image rendering or arbitrary command execution via task definitions.
AnalysisAI
Indirect prompt injection in Eclipse Theia before 1.71.0 allows a malicious repository to automatically override the AI agent's system prompts when a victim opens the workspace, by placing files under .prompts/*.prompttemplate that Theia auto-loads. Combined with built-in AI chat features, the hijacked prompt can chain to data exfiltration via Markdown image rendering or arbitrary command execution via task definitions. …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | Exploitation requires the victim to open an attacker-supplied workspace containing files at the path .prompts/*.prompttemplate in a Theia version prior to 1.71.0, with the AI agent / AI chat feature enabled and used after the workspace is opened. … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | The CVSS 4.0 vector (AV:L/AC:L/AT:N/PR:N/UI:A) with 8.4 severity reflects high vulnerable-system C/I/A impact gated by user interaction - specifically, the victim must open the malicious workspace, which is the normal operating mode for an IDE and therefore a realistic precondition. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | An attacker publishes an attractive-looking repository (for example, a library fix, a CTF challenge, or a job-interview take-home) that contains a .prompts/system.prompttemplate file. When a developer using a vulnerable Theia-based IDE clones and opens the project, Theia silently loads the template and replaces the AI agent's system instructions with attacker-controlled directives that, on the next AI chat interaction, either render a Markdown image whose URL embeds workspace secrets or invoke a malicious task definition to execute commands on the developer's host. |
| Remediation | Vendor-released patch: Eclipse Theia 1.71.0 - upgrade to 1.71.0 or later as the primary fix, per the Eclipse advisory at https://gitlab.eclipse.org/security/cve-assignment/-/work_items/114. … Detailed patch versions, workarounds, and compensating controls in full report. |
Recommended ActionAI
24 hours: Restrict users from opening repositories from untrusted sources and disable AI chat features if not operationally critical. …
Sign in for detailed remediation steps and compensating controls.
Threat intelligence, references, and detailed analysis are available after sign-in.
More in Eclipse Theia
View allCross-site WebSocket hijacking in Eclipse Theia's browser backend (versions 1.8.1 and later) lets a foreign-origin web p
Server-side request forgery in Eclipse Theia (version 1.26.0 and later) lets a low-privileged user connected to the /ser
Arbitrary command execution in Eclipse Theia versions prior to 1.69.0 allows a malicious repository to run host commands
Indirect prompt injection in Eclipse Theia versions prior to 1.71.0 allows attackers who control a workspace's filesyste
Unconstrained Markdown image rendering in Eclipse Theia's AI chat component, in all versions prior to 1.71.0, enables si
Same technique Code Injection
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-37899
GHSA-m973-pr9r-hp2w