Metrics
Affected Vendors & Products
Wed, 08 Jul 2026 07:00:00 +0000
| Type | Values Removed | Values Added |
|---|---|---|
| Title | Theia WebSocket Terminal Exposed Without Authentication |
Tue, 07 Jul 2026 12:15:00 +0000
| Type | Values Removed | Values Added |
|---|---|---|
| Title | Browser Backend Terminal RPC Exposes Remote Code Execution via WebSocket |
Mon, 06 Jul 2026 22:15:00 +0000
| Type | Values Removed | Values Added |
|---|---|---|
| Title | Browser Backend Terminal RPC Exposes Remote Code Execution via WebSocket |
Mon, 06 Jul 2026 15:30:00 +0000
| Type | Values Removed | Values Added |
|---|---|---|
| Metrics |
ssvc
|
Mon, 06 Jul 2026 13:30:00 +0000
| Type | Values Removed | Values Added |
|---|---|---|
| Title | Unauthenticated Terminal Access Exploits Shell Command Execution in Eclipse Theia |
Mon, 06 Jul 2026 04:45:00 +0000
| Type | Values Removed | Values Added |
|---|---|---|
| Title | Unauthenticated Terminal Access Exploits Shell Command Execution in Eclipse Theia |
Sun, 05 Jul 2026 17:15:00 +0000
| Type | Values Removed | Values Added |
|---|---|---|
| Title | Theia Browser Backend Exposes Unauthenticated Terminal RPC Over WebSocket, Enabling Remote Code Execution |
Sun, 05 Jul 2026 05:00:00 +0000
| Type | Values Removed | Values Added |
|---|---|---|
| Title | Theia Browser Backend Exposes Unauthenticated Terminal RPC Over WebSocket, Enabling Remote Code Execution |
Sat, 04 Jul 2026 20:45:00 +0000
| Type | Values Removed | Values Added |
|---|---|---|
| Title | Unrestricted Terminal RPC Allowing Remote Code Execution in Eclipse Theia |
Sat, 04 Jul 2026 09:30:00 +0000
| Type | Values Removed | Values Added |
|---|---|---|
| Title | Unrestricted Terminal RPC Allowing Remote Code Execution in Eclipse Theia |
Sat, 04 Jul 2026 01:15:00 +0000
| Type | Values Removed | Values Added |
|---|---|---|
| Title | Exposed Privileged Terminal RPC via WebSocket Enables Remote Code Execution in Eclipse Theia |
Fri, 03 Jul 2026 17:45:00 +0000
| Type | Values Removed | Values Added |
|---|---|---|
| Title | Exposed Privileged Terminal RPC via WebSocket Enables Remote Code Execution in Eclipse Theia |
Fri, 03 Jul 2026 12:45:00 +0000
| Type | Values Removed | Values Added |
|---|---|---|
| First Time appeared |
Eclipse
Eclipse theia |
|
| Vendors & Products |
Eclipse
Eclipse theia |
Fri, 03 Jul 2026 11:00:00 +0000
| Type | Values Removed | Values Added |
|---|---|---|
| Description | In affected versions of Eclipse Theia (1.8.1 and later), the browser backend exposes privileged terminal RPC over WebSocket (/services/shell-terminal, /services/terminals/:id) without service-level authentication. WebSocket origin validation in @theia/core is fail-open: connections are accepted when the Origin header is missing or when no THEIA_HOSTS allowlist is configured (the default). The Socket.IO integration additionally replaces the real Origin header with a client-supplied fix-origin header that an attacker can control or omit. As a result, a foreign-origin web page visited by a user with a running Theia instance can open the /services WebSocket namespace, invoke terminal creation, attach to the resulting terminal data channel, execute arbitrary OS commands, and read their output. This affects both local developer setups (drive-by attack) and hosted or tunneled deployments without strong external authentication. A fix is in development that enforces same-origin validation by default, removes trust in the fix-origin header, gates HTTP and WebSocket access on a SameSite=Strict; HttpOnly connection-token cookie, and sanitizes shell terminal creation options. | |
| Weaknesses | CWE-1385 CWE-306 |
|
| References |
| |
| Metrics |
cvssV3_1
|
Status: PUBLISHED
Assigner: eclipse
Published: 2026-07-03T10:11:32.446Z
Updated: 2026-07-07T03:56:07.775Z
Reserved: 2026-05-29T07:35:37.279Z
Link: CVE-2026-10054
Updated: 2026-07-06T14:18:35.722Z
No data.
No data.