Back to overview

CVE-2026-10054

HIGH
8.8
CVSS 3.1
Description
In affected versions of Eclipse Theia (1.8.1 and later), the browser backend exposes privileged terminal RPC over WebSocket (/services/shell-terminal, /services/terminals/:id) without service-level authentication. WebSocket origin validation in @theia/core is fail-open: connections are accepted when the Origin header is missing or when no THEIA_HOSTS allowlist is configured (the default). The Socket.IO integration additionally replaces the real Origin header with a client-supplied fix-origin header that an attacker can control or omit. As a result, a foreign-origin web page visited by a user with a running Theia instance can open the /services WebSocket namespace, invoke terminal creation, attach to the resulting terminal data channel, execute arbitrary OS commands, and read their output. This affects both local developer setups (drive-by attack) and hosted or tunneled deployments without strong external authentication. A fix is in development that enforces same-origin validation by default, removes trust in the fix-origin header, gates HTTP and WebSocket access on a SameSite=Strict; HttpOnly connection-token cookie, and sanitizes shell terminal creation options.

Metadata

CVE ID
CVE-2026-10054
State
PUBLISHED
Assigner
eclipse
Reserved
2026-05-29 07:35 UTC
Published
2026-07-03 10:11 UTC
Last updated
2026-07-03 10:11 UTC
Primary CWE
CWE-1385
CWE-1385 Missing origin validation in WebSockets
Vendor / Product
Eclipse Foundation / Eclipse Theia
Sources
cve.org  ·  NVD

Severity & Metrics

8.8 HIGH CVSS 3.1
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
Affected products (1)
VendorProductPlatformVersions
Eclipse Foundation Eclipse Theia 1.8.1 < 1.73.0
Weakness (CWE)
CWESourceDescription
CWE-1385 cna CWE-1385 Missing origin validation in WebSockets
CWE-306 cna CWE-306 Missing authentication for critical function
CVSS scores (1)
ScoreSeverityVersionSourceVector
8.8 HIGH 3.1 cna CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
Back to overview