Description
In affected versions of Eclipse Theia (1.8.1 and later), the browser backend exposes privileged terminal RPC over WebSocket (/services/shell-terminal, /services/terminals/:id) without service-level authentication.




WebSocket origin validation in @theia/core is fail-open: connections are accepted when the Origin header is missing or when no THEIA_HOSTS allowlist is configured (the default). The Socket.IO integration additionally replaces the real Origin header with a client-supplied fix-origin header that an attacker can control or omit.




As a result, a foreign-origin web page visited by a user with a running Theia instance can open the /services WebSocket namespace, invoke terminal creation, attach to the resulting terminal data channel, execute arbitrary OS commands, and read their output. This affects both local developer setups (drive-by attack) and hosted or tunneled deployments without strong external authentication.




A fix is in development that enforces same-origin validation by default, removes trust in the fix-origin header, gates HTTP and WebSocket access on a SameSite=Strict; HttpOnly connection-token cookie, and sanitizes shell terminal creation options.
Published: 2026-07-03
Score: 8.8 High
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability stems from Eclipse Theia's browser backend exposing privileged terminal RPC over WebSocket endpoints (/services/shell-terminal, /services/terminals/:id) without service-level authentication. Because WebSocket origin validation is fail‑open, connections are accepted when no Origin header is present or when no THEIA_HOSTS allowlist is configured. Attackers can therefore open these websockets from a foreign‑origin web page, create terminals, attach to them and execute arbitrary OS commands while reading their output. The impact is full remote code execution for any user who has a running Theia instance.

Affected Systems

Affected systems include Eclipse Theia versions 1.8.1 and later. The default installation without a configured host allowlist or external authentication is vulnerable. Both local developer environments and hosted or tunneled deployments that do not enforce strong authentication are susceptible.

Risk and Exploitability

The CVSS score of 8.8 indicates a high severity, and although EPSS data is not available, the vulnerability is listed in no KEV catalog, suggesting no publicly known exploitation yet. Nevertheless, the drive‑by nature of the attack vector means that a malicious web page visited by a user with an active Theia session can execute code without user interaction. The risk is high for organizations that expose Theia to untrusted network segments or rely on default configurations.

Generated by OpenCVE AI on July 3, 2026 at 17:15 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the official patch for Eclipse Theia as soon as it becomes available.
  • Restrict WebSocket endpoint access by configuring a reverse proxy or firewall to allow only trusted origins and enforce SameSite=Strict HttpOnly cookies.
  • Disable or protect the /services/shell-terminal and /services/terminals/:id endpoints from unauthenticated external access, or require authentication before exposing them.

Generated by OpenCVE AI on July 3, 2026 at 17:15 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Fri, 03 Jul 2026 17:45:00 +0000

Type Values Removed Values Added
Title Exposed Privileged Terminal RPC via WebSocket Enables Remote Code Execution in Eclipse Theia

Fri, 03 Jul 2026 12:45:00 +0000

Type Values Removed Values Added
First Time appeared Eclipse
Eclipse theia
Vendors & Products Eclipse
Eclipse theia

Fri, 03 Jul 2026 11:00:00 +0000

Type Values Removed Values Added
Description In affected versions of Eclipse Theia (1.8.1 and later), the browser backend exposes privileged terminal RPC over WebSocket (/services/shell-terminal, /services/terminals/:id) without service-level authentication. WebSocket origin validation in @theia/core is fail-open: connections are accepted when the Origin header is missing or when no THEIA_HOSTS allowlist is configured (the default). The Socket.IO integration additionally replaces the real Origin header with a client-supplied fix-origin header that an attacker can control or omit. As a result, a foreign-origin web page visited by a user with a running Theia instance can open the /services WebSocket namespace, invoke terminal creation, attach to the resulting terminal data channel, execute arbitrary OS commands, and read their output. This affects both local developer setups (drive-by attack) and hosted or tunneled deployments without strong external authentication. A fix is in development that enforces same-origin validation by default, removes trust in the fix-origin header, gates HTTP and WebSocket access on a SameSite=Strict; HttpOnly connection-token cookie, and sanitizes shell terminal creation options.
Weaknesses CWE-1385
CWE-306
References
Metrics cvssV3_1

{'score': 8.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H'}


cve-icon MITRE

Status: PUBLISHED

Assigner: eclipse

Published:

Updated: 2026-07-03T10:11:32.446Z

Reserved: 2026-05-29T07:35:37.279Z

Link: CVE-2026-10054

cve-icon Vulnrichment

No data.

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-07-03T17:30:15Z

Weaknesses
  • CWE-1385

    Missing Origin Validation in WebSockets

  • CWE-306

    Missing Authentication for Critical Function