Description
In Eclipse Theia versions prior to 1.71.0, the AI chat agent processed workspace file and directory names as part of its prompt context without distinguishing them from system instructions. An attacker could craft a malicious repository with adversarial directory or file names that, when analyzed by the AI agent, would cause the agent to follow attacker-controlled instructions (indirect prompt injection). Combined with other AI chat features available in untrusted workspaces, this enabled attack chains leading to data exfiltration via Markdown image rendering or arbitrary command execution via task definitions.
Published: 2026-06-18
Score: 8.4 High
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

In versions of Eclipse Theia older than 1.71.0, the AI chat agent treats workspace file and directory names as part of its prompt context without distinguishing them from system instructions. This flaw allows an attacker to create a repository with maliciously named files or directories that, when processed by the agent, can embed attacker-controlled commands or instructions. The result is an indirect prompt injection that could result in data exfiltration via Markdown image rendering or arbitrary command execution through task definitions. The weakness aligns with CWE-1427 and CWE-829.

Affected Systems

These issues affect Eclipse Theia supplied by Eclipse Foundation. All releases before version 1.71.0 are impacted, meaning users running 1.70.x and earlier are vulnerable.

Risk and Exploitability

The CVSS score of 8.4 indicates high severity. The EPSS score is not available, and the vulnerability is not listed in the CISA KEV catalog, but the lack of mitigation probably means attackers can still use the flaw. The likely attack vector involves an attacker providing a malicious repository to a user or system that has untrusted workspace AI chat enabled. The attack chain may utilize Markdown image rendering to exfiltrate data or activate pre-defined tasks that execute arbitrary commands, fulfilling the attacker’s objectives.

Generated by OpenCVE AI on June 18, 2026 at 19:03 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Eclipse Theia to version 1.71.0 or later, which removes the vulnerability in the AI chat prompt handling.
  • Disable or restrict AI chat features for repositories identified as untrusted until the upgrade can be performed, to prevent indirect prompt injection.
  • Validate and sanitize workspace file and directory names before they are included in the AI chat prompt context; consider implementing a whitelist or escaping mechanism per vendor guidance.
  • Monitor for suspicious Markdown image rendering and block execution of untrusted task definitions that could lead to arbitrary command execution.

Generated by OpenCVE AI on June 18, 2026 at 19:03 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Thu, 18 Jun 2026 19:30:00 +0000

Type Values Removed Values Added
Title Indirect Prompt Injection in Eclipse Theia AI Chat Leading to Data Exfiltration and Command Execution

Thu, 18 Jun 2026 19:15:00 +0000

Type Values Removed Values Added
First Time appeared Eclipse
Eclipse theia
Vendors & Products Eclipse
Eclipse theia

Thu, 18 Jun 2026 16:45:00 +0000

Type Values Removed Values Added
Description In Eclipse Theia versions prior to 1.71.0, the AI chat agent processed workspace file and directory names as part of its prompt context without distinguishing them from system instructions. An attacker could craft a malicious repository with adversarial directory or file names that, when analyzed by the AI agent, would cause the agent to follow attacker-controlled instructions (indirect prompt injection). Combined with other AI chat features available in untrusted workspaces, this enabled attack chains leading to data exfiltration via Markdown image rendering or arbitrary command execution via task definitions.
Weaknesses CWE-1427
CWE-829
References
Metrics cvssV4_0

{'score': 8.4, 'vector': 'CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:A/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N'}

ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Subscriptions

Eclipse Theia
cve-icon MITRE

Status: PUBLISHED

Assigner: eclipse

Published:

Updated: 2026-06-18T15:28:17.384Z

Reserved: 2026-05-22T07:47:58.196Z

Link: CVE-2026-44688

cve-icon Vulnrichment

Updated: 2026-06-18T15:28:12.468Z

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-18T19:15:02Z

Weaknesses
  • CWE-1427

    Improper Neutralization of Input Used for LLM Prompting

  • CWE-829

    Inclusion of Functionality from Untrusted Control Sphere