PT-2026-55523 · Eclipse Foundation · Eclipse Theia
Anwar Ayoob
·
Published
2026-07-03
·
Updated
2026-07-03
·
CVE-2026-10054
CVSS v3.1
8.8
High
| Vector | AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H |
Name of the Vulnerable Software and Affected Versions
Eclipse Theia versions 1.8.1 and later
Description
The browser backend exposes privileged terminal RPC over WebSocket endpoints '/services/shell-terminal' and '/services/terminals/:id' without service-level authentication. The WebSocket origin validation in
@theia/core is fail-open, meaning connections are accepted if the Origin header is missing or if no THEIA HOSTS allowlist is configured. Furthermore, the Socket.IO integration replaces the actual Origin header with a client-supplied fix-origin header that can be controlled or omitted by an attacker. This allows a foreign-origin web page to open the /services WebSocket namespace, create a terminal, attach to the data channel, and execute arbitrary OS commands to read their output. This issue impacts local developer setups and hosted or tunneled deployments lacking strong external authentication.Recommendations
At the moment, there is no information about a newer version that contains a fix for this vulnerability.
RCE
Missing Authentication
Found an issue in the description? Have something to add? Feel free to write us 👾
Related Identifiers
Affected Products
Eclipse Theia