Description
In the Eclipse Theia Website repository, the GitHub Actions workflow .github/workflows/preview.yml used pull_request_target trigger while checking out and executing untrusted pull request code. This allowed any GitHub user to execute arbitrary code in the repository's CI environment with access to repository secrets and a GITHUB_TOKEN with extensive write permissions (contents:write, packages:write, pages:write, actions:write). An attacker could exfiltrate secrets, publish malicious packages to the eclipse-theia organization, modify the official Theia website, and push malicious code to the repository.
Published: 2026-01-30
Score: 10 Critical
EPSS: < 1% Very Low
KEV: No
Impact: Remote Code Execution via CI with Repository Secrets
Action: Immediate Patch
AI Analysis

Impact

The Eclipse Theia Website repository contains a GitHub Actions workflow that triggers on pull_request_target, allowing GitHub users to run untrusted pull‑request code during the workflow. This gives the code a GitHub token that has extensive write permissions, giving the attacker the ability to read and exfiltrate any secrets stored on the repository and to modify website content or publish malicious packages for the eclipse‑theia organization. The vulnerability is an example of Access Control: Improper Authorization of a Privileged Token (CWE‑829).

Affected Systems

All instances of the Eclipse Theia Website that use the reported .github/workflows/preview.yml workflow are affected; no specific version of the website is listed, so all current deployments that include this workflow are considered vulnerable.

Risk and Exploitability

This flaw carries a CVSS base score of 10, indicating critical severity. The EPSS score is less than 1 %, suggesting very low exploitation probability, and it is not currently catalogued as a known exploited vulnerability. The likely attack vector is any GitHub user who can submit a pull request to the repository, causing the workflow to execute with a high‑privilege GITHUB_TOKEN. If exploited, the attacker could obtain secrets, alter the website, or inject malicious code into the repository.

Generated by OpenCVE AI on April 18, 2026 at 01:11 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Replace the pull_request_target trigger with pull_request in the GitHub Actions workflow to avoid executing untrusted code with elevated privileges.
  • Restrict the GITHUB_TOKEN used by the workflow to have only action‑read permissions or use a token with minimal scopes, and avoid exposing secrets inside the workflow; remove or restrict any secrets that are not needed for the build.
  • Apply any available vendor patch or update to the workflow file, and perform a review to ensure that no other workflows or parts of the repository expose secrets or allow code execution with elevated privileges.

Generated by OpenCVE AI on April 18, 2026 at 01:11 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Sat, 18 Apr 2026 01:30:00 +0000

Type Values Removed Values Added
Title Unprotected GitHub Actions Allows Arbitrary Code Execution with Repository Secrets

Tue, 10 Mar 2026 18:30:00 +0000

Type Values Removed Values Added
First Time appeared Eclipse theia Website
CPEs cpe:2.3:a:eclipse:theia_website:*:*:*:*:*:*:*:*
Vendors & Products Eclipse theia Website

Tue, 03 Feb 2026 15:00:00 +0000

Type Values Removed Values Added
First Time appeared Eclipse
Eclipse theia
Vendors & Products Eclipse
Eclipse theia

Mon, 02 Feb 2026 20:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'poc', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Fri, 30 Jan 2026 10:15:00 +0000

Type Values Removed Values Added
Description In the Eclipse Theia Website repository, the GitHub Actions workflow .github/workflows/preview.yml used pull_request_target trigger while checking out and executing untrusted pull request code. This allowed any GitHub user to execute arbitrary code in the repository's CI environment with access to repository secrets and a GITHUB_TOKEN with extensive write permissions (contents:write, packages:write, pages:write, actions:write). An attacker could exfiltrate secrets, publish malicious packages to the eclipse-theia organization, modify the official Theia website, and push malicious code to the repository.
Weaknesses CWE-829
References
Metrics cvssV3_1

{'score': 10, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H'}

Subscriptions

Eclipse Theia Theia Website
cve-icon MITRE

Status: PUBLISHED

Assigner: eclipse

Published:

Updated: 2026-02-02T19:26:31.652Z

Reserved: 2026-01-30T09:38:43.466Z

Link: CVE-2026-1699

cve-icon Vulnrichment

Updated: 2026-02-02T19:26:28.448Z

cve-icon NVD

Status : Analyzed

Published: 2026-01-30T10:15:56.617

Modified: 2026-03-10T18:23:17.930

Link: CVE-2026-1699

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-18T01:15:05Z

Weaknesses