Skip to main content

Eclipse Theia EUVDEUVD-2026-41531

| CVE-2026-10055 HIGH
Server-Side Request Forgery (SSRF) (CWE-918)
2026-07-03 eclipse
8.5
CVSS 3.1 · Vendor: eclipse
Share

Severity by source

Vendor (eclipse) PRIMARY
8.5 HIGH
AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:L/A:N
vuln.today AI
8.5 HIGH

Network-reachable service RPC needs only a low-privilege connection (PR:L) and no interaction; SSRF reaches backend resources beyond the component (S:C) with high read impact (C:H) and limited integrity effect.

3.1 AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:L/A:N
4.0 AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:L/VA:N/SC:L/SI:N/SA:N

Primary rating from Vendor (eclipse).

CVSS VectorVendor: eclipse

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:L/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Changed
Confidentiality
High
Integrity
Low
Availability
None

Lifecycle Timeline

2
Patch available
Jul 03, 2026 - 12:01 EUVD
Analysis Generated
Jul 03, 2026 - 11:15 vuln.today

DescriptionCVE.org

In Eclipse Theia since version 1.26.0, the backend /services/request-service RPC accepts an attacker-controlled URL from any client connected to the standard /services messaging endpoint, performs the HTTP request server-side, and returns the full response body to the caller.

Because the destination URL is neither validated nor allowlisted, a remote attacker with access to the Theia service connection can issue server-side HTTP requests to localhost or other backend-reachable hosts and read their responses, exposing internal administrative endpoints, cloud instance metadata services, and other resources that are intentionally outside the browser network boundary.

The vulnerability affects deployments where the Theia service connection is reachable by untrusted users (for example, multi-tenant or publicly-reachable Theia deployments).

AnalysisAI

Server-side request forgery in Eclipse Theia (version 1.26.0 and later) lets a low-privileged user connected to the /services messaging endpoint coerce the backend into fetching an attacker-supplied URL and returning the full response body, exposing localhost admin interfaces and cloud instance metadata that sit behind the browser network boundary. The flaw is exploitable by any client with access to the Theia service connection, making multi-tenant and publicly-reachable deployments the primary concern. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Connect to exposed /services endpoint
Delivery
Invoke request-service RPC with crafted URL
Exploit
Backend fetches internal host or metadata service
Execution
Response body returned to attacker
Impact
Harvest IAM credentials or internal data

Vulnerability AssessmentAI

Exploitation Requires the Theia /services messaging endpoint (specifically the backend /services/request-service RPC) to be network-reachable by the attacker, and the attacker must hold a standard low-privilege connection to that service (CVSS PR:L, so authenticated at a low level per the vector). … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The vendor CVSS 3.1 score of 8.5 (AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:L/A:N) reflects a network-reachable, low-complexity attack requiring only low privilege (any connected /services client) with a changed scope, since the impact reaches backend resources beyond the vulnerable component. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An untrusted user on a shared, internet-facing Theia instance connects to the /services endpoint and invokes request-service with a URL of http://169.254.169.254/latest/meta-data/iam/security-credentials/, receiving the cloud instance's temporary IAM credentials in the response body. They then reuse those credentials to access cloud resources, or point the same request-service at http://localhost admin panels to read configuration otherwise hidden behind the network boundary. …
Remediation Consult the Eclipse Theia security advisory GHSA-2m57-xxmh-v696 (https://github.com/eclipse-theia/theia/security/advisories/GHSA-2m57-xxmh-v696) and the Eclipse tracker work item 446 for the fixed release; the provided data does not include an exact fixed version, so upgrade to the patched release named in that advisory once confirmed. … Detailed patch versions, workarounds, and compensating controls in full report.

Recommended ActionAI

Within 24 hours: identify all Eclipse Theia instances (1.26.0+) and classify by exposure level (public vs. …

Sign in for detailed remediation steps and compensating controls.

Threat intelligence, references, and detailed analysis are available after sign-in.

Share

EUVD-2026-41531 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy