Description
In Eclipse Theia versions prior to 1.71.0, files matching the pattern .prompts/*.prompttemplate in a workspace were automatically loaded and could override or extend the AI agent's system prompts. An attacker could craft a malicious repository containing prompt template files that, when the workspace was opened in Theia, replaced the AI's system instructions with attacker-controlled content (indirect prompt injection). Combined with other AI chat features available in untrusted workspaces, this enabled attack chains leading to data exfiltration via Markdown image rendering or arbitrary command execution via task definitions.
Published: 2026-06-18
Score: 8.4 High
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability allows an attacker to place malicious .prompttemplate files into a workspace, which Eclipse Theia automatically loads when the workspace is opened, effectively injecting or overriding the AI agent’s system prompts. This indirect prompt injection can be chained with other untrusted workspace features to either exfiltrate data through Markdown image rendering or trigger arbitrary command execution via task definitions. The weakness is a form of code injection (CWE-829) coupled with insecure handling of user‑supplied prompt files (CWE-1427).

Affected Systems

Eclipse Theia versions before 1.71.0 are affected. The vulnerability impacts all installations that use the Theia IDE and host or open workspaces containing .prompts/*.prompttemplate files. This includes any user or team who accesses untrusted or third‑party repositories within Theia.

Risk and Exploitability

The CVSS score of 8.4 indicates a high severity risk. The EPSS score is not available, so the exploitation probability cannot be quantified, and the vulnerability is not currently listed in the CISA KEV catalog. Attackers can exploit the issue by shipping a malicious repository that contains prompt template files; when a user opens the workspace, Theia loads the templates and the attacker can then manipulate system prompts or execute commands via task definitions. Consequently, data exfiltration or arbitrary code execution could occur on the users’ machines.

Generated by OpenCVE AI on June 18, 2026 at 19:02 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Eclipse Theia to version 1.71.0 or later to remove the automatic loading of .prompttemplate files.
  • Configure Theia to disable or restrict automatic loading of prompt template files from untrusted workspaces.
  • Restrict access to repositories that contain .prompts/*.prompttemplate files by enforcing authentication and permission controls, and monitor for unexpected prompt template files.

Generated by OpenCVE AI on June 18, 2026 at 19:02 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Thu, 18 Jun 2026 19:30:00 +0000

Type Values Removed Values Added
Title Indirect Prompt Template Injection Leading to Remote Code Execution in Eclipse Theia

Thu, 18 Jun 2026 19:15:00 +0000

Type Values Removed Values Added
First Time appeared Eclipse
Eclipse theia
Vendors & Products Eclipse
Eclipse theia

Thu, 18 Jun 2026 17:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Thu, 18 Jun 2026 16:45:00 +0000

Type Values Removed Values Added
Description In Eclipse Theia versions prior to 1.71.0, files matching the pattern .prompts/*.prompttemplate in a workspace were automatically loaded and could override or extend the AI agent's system prompts. An attacker could craft a malicious repository containing prompt template files that, when the workspace was opened in Theia, replaced the AI's system instructions with attacker-controlled content (indirect prompt injection). Combined with other AI chat features available in untrusted workspaces, this enabled attack chains leading to data exfiltration via Markdown image rendering or arbitrary command execution via task definitions.
Weaknesses CWE-1427
CWE-829
References
Metrics cvssV4_0

{'score': 8.4, 'vector': 'CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:A/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N'}

Subscriptions

Eclipse Theia
cve-icon MITRE

Status: PUBLISHED

Assigner: eclipse

Published:

Updated: 2026-06-18T15:26:46.566Z

Reserved: 2026-05-22T07:47:58.202Z

Link: CVE-2026-46580

cve-icon Vulnrichment

Updated: 2026-06-18T15:26:41.287Z

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-18T19:15:02Z

Weaknesses
  • CWE-1427

    Improper Neutralization of Input Used for LLM Prompting

  • CWE-829

    Inclusion of Functionality from Untrusted Control Sphere