PT-2026-55523 · Eclipse Foundation · Eclipse Theia

Anwar Ayoob

·

Published

2026-07-03

·

Updated

2026-07-03

·

CVE-2026-10054

CVSS v3.1

8.8

High

VectorAV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
Name of the Vulnerable Software and Affected Versions Eclipse Theia versions 1.8.1 and later
Description The browser backend exposes privileged terminal RPC over WebSocket endpoints '/services/shell-terminal' and '/services/terminals/:id' without service-level authentication. The WebSocket origin validation in @theia/core is fail-open, meaning connections are accepted if the Origin header is missing or if no THEIA HOSTS allowlist is configured. Furthermore, the Socket.IO integration replaces the actual Origin header with a client-supplied fix-origin header that can be controlled or omitted by an attacker. This allows a foreign-origin web page to open the /services WebSocket namespace, create a terminal, attach to the data channel, and execute arbitrary OS commands to read their output. This issue impacts local developer setups and hosted or tunneled deployments lacking strong external authentication.
Recommendations At the moment, there is no information about a newer version that contains a fix for this vulnerability.

RCE

Missing Authentication

Found an issue in the description? Have something to add? Feel free to write us 👾

Weakness Enumeration

Related Identifiers

CVE-2026-10054

Affected Products

Eclipse Theia