In affected versions of Eclipse Theia (1.8.1 and later), the browser backend exposes privileged terminal RPC over WebSocket (/services/shell-terminal, /services/terminals/:id) without service-level authentication. WebSocket origin validation in @theia/core is fail-open: connections are accepted when the Origin header is missing or when no THEIA_HOSTS allowlist is configured (the default). The Socket.IO integration additionally replaces the real Origin header with a client-supplied fix-origin header that an attacker can control or omit. As a result, a foreign-origin web page visited by a user with a running Theia instance can open the /services WebSocket namespace, invoke terminal creation, attach to the resulting terminal data channel, execute arbitrary OS commands, and read their output. This affects both local developer setups (drive-by attack) and hosted or tunneled deployments without strong external authentication. A fix is in development that enforces same-origin validation by default, removes trust in the fix-origin header, gates HTTP and WebSocket access on a SameSite=Strict; HttpOnly connection-token cookie, and sanitizes shell terminal creation options.
History

Wed, 08 Jul 2026 07:00:00 +0000

Type Values Removed Values Added
Title Theia WebSocket Terminal Exposed Without Authentication

Tue, 07 Jul 2026 12:15:00 +0000

Type Values Removed Values Added
Title Browser Backend Terminal RPC Exposes Remote Code Execution via WebSocket

Mon, 06 Jul 2026 22:15:00 +0000

Type Values Removed Values Added
Title Browser Backend Terminal RPC Exposes Remote Code Execution via WebSocket

Mon, 06 Jul 2026 15:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}


Mon, 06 Jul 2026 13:30:00 +0000

Type Values Removed Values Added
Title Unauthenticated Terminal Access Exploits Shell Command Execution in Eclipse Theia

Mon, 06 Jul 2026 04:45:00 +0000

Type Values Removed Values Added
Title Unauthenticated Terminal Access Exploits Shell Command Execution in Eclipse Theia

Sun, 05 Jul 2026 17:15:00 +0000

Type Values Removed Values Added
Title Theia Browser Backend Exposes Unauthenticated Terminal RPC Over WebSocket, Enabling Remote Code Execution

Sun, 05 Jul 2026 05:00:00 +0000

Type Values Removed Values Added
Title Theia Browser Backend Exposes Unauthenticated Terminal RPC Over WebSocket, Enabling Remote Code Execution

Sat, 04 Jul 2026 20:45:00 +0000

Type Values Removed Values Added
Title Unrestricted Terminal RPC Allowing Remote Code Execution in Eclipse Theia

Sat, 04 Jul 2026 09:30:00 +0000

Type Values Removed Values Added
Title Unrestricted Terminal RPC Allowing Remote Code Execution in Eclipse Theia

Sat, 04 Jul 2026 01:15:00 +0000

Type Values Removed Values Added
Title Exposed Privileged Terminal RPC via WebSocket Enables Remote Code Execution in Eclipse Theia

Fri, 03 Jul 2026 17:45:00 +0000

Type Values Removed Values Added
Title Exposed Privileged Terminal RPC via WebSocket Enables Remote Code Execution in Eclipse Theia

Fri, 03 Jul 2026 12:45:00 +0000

Type Values Removed Values Added
First Time appeared Eclipse
Eclipse theia
Vendors & Products Eclipse
Eclipse theia

Fri, 03 Jul 2026 11:00:00 +0000

Type Values Removed Values Added
Description In affected versions of Eclipse Theia (1.8.1 and later), the browser backend exposes privileged terminal RPC over WebSocket (/services/shell-terminal, /services/terminals/:id) without service-level authentication. WebSocket origin validation in @theia/core is fail-open: connections are accepted when the Origin header is missing or when no THEIA_HOSTS allowlist is configured (the default). The Socket.IO integration additionally replaces the real Origin header with a client-supplied fix-origin header that an attacker can control or omit. As a result, a foreign-origin web page visited by a user with a running Theia instance can open the /services WebSocket namespace, invoke terminal creation, attach to the resulting terminal data channel, execute arbitrary OS commands, and read their output. This affects both local developer setups (drive-by attack) and hosted or tunneled deployments without strong external authentication. A fix is in development that enforces same-origin validation by default, removes trust in the fix-origin header, gates HTTP and WebSocket access on a SameSite=Strict; HttpOnly connection-token cookie, and sanitizes shell terminal creation options.
Weaknesses CWE-1385
CWE-306
References
Metrics cvssV3_1

{'score': 8.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H'}


cve-icon MITRE

Status: PUBLISHED

Assigner: eclipse

Published: 2026-07-03T10:11:32.446Z

Updated: 2026-07-07T03:56:07.775Z

Reserved: 2026-05-29T07:35:37.279Z

Link: CVE-2026-10054

cve-icon Vulnrichment

Updated: 2026-07-06T14:18:35.722Z

cve-icon NVD

No data.

cve-icon Redhat

No data.