Skip to main content

Eclipse Theia EUVDEUVD-2026-41529

| CVE-2026-10054 HIGH
Missing Origin Validation in WebSockets (CWE-1385)
2026-07-03 eclipse
8.8
CVSS 3.1 · Vendor: eclipse
Share

Severity by source

Vendor (eclipse) PRIMARY
8.8 HIGH
AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
vuln.today AI
8.8 HIGH

Network-reachable unauthenticated (PR:N) cross-site WebSocket hijack yielding OS command execution (C/I/A:H), but requires the victim to visit a malicious page, so UI:R and scope unchanged.

3.1 AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
4.0 AV:N/AC:L/AT:N/PR:N/UI:P/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

Primary rating from Vendor (eclipse).

CVSS VectorVendor: eclipse

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
Required
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

2
Patch available
Jul 03, 2026 - 12:01 EUVD
Analysis Generated
Jul 03, 2026 - 11:16 vuln.today

DescriptionCVE.org

In affected versions of Eclipse Theia (1.8.1 and later), the browser backend exposes privileged terminal RPC over WebSocket (/services/shell-terminal, /services/terminals/:id) without service-level authentication.

WebSocket origin validation in @theia/core is fail-open: connections are accepted when the Origin header is missing or when no THEIA_HOSTS allowlist is configured (the default). The Socket.IO integration additionally replaces the real Origin header with a client-supplied fix-origin header that an attacker can control or omit.

As a result, a foreign-origin web page visited by a user with a running Theia instance can open the /services WebSocket namespace, invoke terminal creation, attach to the resulting terminal data channel, execute arbitrary OS commands, and read their output. This affects both local developer setups (drive-by attack) and hosted or tunneled deployments without strong external authentication.

A fix is in development that enforces same-origin validation by default, removes trust in the fix-origin header, gates HTTP and WebSocket access on a SameSite=Strict; HttpOnly connection-token cookie, and sanitizes shell terminal creation options.

AnalysisAI

Cross-site WebSocket hijacking in Eclipse Theia's browser backend (versions 1.8.1 and later) lets a foreign-origin web page reach the unauthenticated /services shell-terminal RPC namespace and execute arbitrary OS commands on the victim's host. The flaw stems from fail-open Origin validation in @theia/core combined with a client-controllable fix-origin header, so simply luring a developer running Theia to a malicious site yields remote code execution. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Lure victim to malicious web page
Delivery
Browser JS opens /services WebSocket with spoofed/omitted Origin
Exploit
Bypass fail-open origin validation via fix-origin header
Execution
Invoke shell-terminal RPC creation
Persist
Attach to terminal data channel
Impact
Execute arbitrary OS commands and read output

Vulnerability AssessmentAI

Exploitation Exploitation requires that the victim have a running Eclipse Theia browser-backend (1.8.1+) reachable from their browser AND that they visit an attacker-controlled web page while it is running - that user interaction (UI:R) is the primary prerequisite and the main limiting factor. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The CVSS 3.1 vector (AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H = 8.8) is internally consistent with the description: network-reachable, low complexity, no authentication (PR:N, so unauthenticated), but requiring the victim to visit an attacker-controlled page (UI:R) with full RCE impact across confidentiality, integrity, and availability. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An attacker hosts a malicious web page containing JavaScript that opens a WebSocket to a developer's locally running Theia backend (e.g. ws://localhost:3000/services), omitting or spoofing the Origin/fix-origin header to pass the fail-open check. …
Remediation No vendor-released patch identified at time of analysis - the advisory states a fix is in development that will enforce same-origin validation by default, remove trust in the fix-origin header, gate HTTP and WebSocket access on a SameSite=Strict; HttpOnly connection-token cookie, and sanitize shell terminal creation options; monitor GHSA-78g8-vm3p-97c6 (https://github.com/eclipse-theia/theia/security/advisories/GHSA-78g8-vm3p-97c6) for the patched release and upgrade as soon as it ships. … Detailed patch versions, workarounds, and compensating controls in full report.

Recommended ActionAI

Within 24 hours: inventory Theia installations running versions 1.8.1+; restrict web access to trusted networks behind VPN; disable external internet access from development hosts. …

Sign in for detailed remediation steps and compensating controls.

Threat intelligence, references, and detailed analysis are available after sign-in.

Share

EUVD-2026-41529 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy