CVE Catalog

CVE-2026-10054

HighCVSS 8.8
Published: Translated: NVD NIST

Summary

In Eclipse Theia versions 1.8.1 and later, the browser backend exposes privileged terminal RPC over WebSocket without service-level authentication. WebSocket origin validation is fail-open, allowing an attacker to execute arbitrary OS commands via terminal takeover.

Risk Assessment

The risk for the organization includes remote code execution (RCE) by an attacker who can hijack a user's terminal session, leading to compromise of confidentiality, integrity, and availability.

Recommendation

Immediately apply the fix once released, implement service-level authentication, and configure allowed origins (THEIA_HOSTS) and SameSite=Strict; HttpOnly cookie.

Original NVD description (English source)

In affected versions of Eclipse Theia (1.8.1 and later), the browser backend exposes privileged terminal RPC over WebSocket (/services/shell-terminal, /services/terminals/:id) without service-level authentication. WebSocket origin validation in @theia/core is fail-open: connections are accepted when the Origin header is missing or when no THEIA_HOSTS allowlist is configured (the default). The Socket.IO integration additionally replaces the real Origin header with a client-supplied fix-origin header that an attacker can control or omit. As a result, a foreign-origin web page visited by a user with a running Theia instance can open the /services WebSocket namespace, invoke terminal creation, attach to the resulting terminal data channel, execute arbitrary OS commands, and read their output. This affects both local developer setups (drive-by attack) and hosted or tunneled deployments without strong external authentication. A fix is in development that enforces same-origin validation by default, removes trust in the fix-origin header, gates HTTP and WebSocket access on a SameSite=Strict; HttpOnly connection-token cookie, and sanitizes shell terminal creation options.

Vulnerability data from NVD (NIST) · CISA KEV · EPSS