Michael Grube

**Name of the Vulnerable Software and Affected Versions** Eclipse Che versions 6.16 through 7.3.0 **Description** The issue allows an attacker to trigger the start of an arbitrary Che workspace by visiting a malicious website, given that both authentication and TLS are disabled. This scenario is more likely in local installations, such as on personal laptops, where Che is not typically exposed to public networks. However, JavaScript running in the local browser can still send requests to the Che API, posing a risk even when the API is not externally exposed. **Recommendations** For Eclipse Che versions 6.16 through 7.3.0, consider enabling authentication and TLS to prevent unauthorized access and mitigate the risk of arbitrary workspace startup. As a temporary workaround, restrict access to the Che API to minimize the risk of exploitation.