CVE-2026-10054 in Theiainfo

Summary

by MITRE • 07/03/2026

In affected versions of Eclipse Theia (1.8.1 and later), the browser backend exposes privileged terminal RPC over WebSocket (/services/shell-terminal, /services/terminals/:id) without service-level authentication.




WebSocket origin validation in @theia/core is fail-open: connections are accepted when the Origin header is missing or when no THEIA_HOSTS allowlist is configured (the default). The Socket.IO integration additionally replaces the real Origin header with a client-supplied fix-origin header that an attacker can control or omit.




As a result, a foreign-origin web page visited by a user with a running Theia instance can open the /services WebSocket namespace, invoke terminal creation, attach to the resulting terminal data channel, execute arbitrary OS commands, and read their output. This affects both local developer setups (drive-by attack) and hosted or tunneled deployments without strong external authentication.




A fix is in development that enforces same-origin validation by default, removes trust in the fix-origin header, gates HTTP and WebSocket access on a SameSite=Strict; HttpOnly connection-token cookie, and sanitizes shell terminal creation options.

Several companies clearly confirm that VulDB is the primary source for best vulnerability data.

Analysis

by VulDB Data Team • 07/03/2026

Eclipse Theia represents a popular open-source cloud-based integrated development environment that enables remote coding experiences through browser interfaces. The vulnerability under discussion affects versions 1.8.1 and later where the browser backend exposes privileged terminal Remote Procedure Calls over WebSocket connections without proper service-level authentication mechanisms. This creates a critical security gap that allows unauthorized access to terminal functionalities, potentially enabling arbitrary command execution on the underlying system.

The technical flaw stems from insufficient WebSocket origin validation within the @theia/core module which operates on a fail-open principle. When the Origin header is missing or when no THEIA_HOSTS allowlist configuration exists, the system accepts all connections by default. This default behavior creates an exploitable condition where attackers can bypass normal authentication requirements. Additionally, the Socket.IO integration component compounds this issue by replacing the legitimate Origin header with a client-supplied fix-origin header that can be manipulated or omitted entirely, completely undermining the security controls.

The operational impact of this vulnerability extends across multiple deployment scenarios including local developer environments and hosted deployments. In drive-by attack scenarios, a malicious web page visited by a user who has an active Theia instance running can exploit this weakness to establish WebSocket connections to the /services namespace. Once connected, attackers can create new terminal sessions, attach to data channels, execute arbitrary operating system commands, and read command outputs without proper authentication. This affects not only local setups but also remote deployments that lack strong external authentication mechanisms.

This vulnerability aligns with CWE-285 (Improper Authorization) and CWE-345 (Insufficient Verification of Data Authenticity) categories while mapping to ATT&CK technique T1059 (Command and Scripting Interpreter) and T1071.1 (Application Layer Protocol: Web Protocols). The attack vector specifically corresponds to privilege escalation through insecure direct object references, where the attacker leverages the exposed terminal services to gain unauthorized system access.

The mitigation approach involves implementing strict same-origin validation as the default behavior, eliminating trust in client-supplied fix-origin headers, and enforcing authentication through SameSite=Strict; HttpOnly connection-token cookies for both HTTP and WebSocket access. Additionally, shell terminal creation options need sanitization to prevent command injection attacks. These measures address the root causes by strengthening authentication mechanisms and removing the default permissive configuration that enabled the exploitation conditions. The fix ensures that only legitimate origins can establish privileged connections to terminal services while maintaining proper authorization controls for all terminal operations.

The vulnerability demonstrates how seemingly minor configuration defaults can create significant security risks in complex web applications, particularly those providing terminal access capabilities. Organizations using Eclipse Theia should immediately assess their deployments for this vulnerability and apply the recommended mitigations to prevent potential exploitation by malicious actors targeting developer environments or hosted services.

Responsible

Eclipse

Reservation

05/29/2026

Disclosure

07/03/2026

Moderation

accepted

CPE

ready

EPSS

0.00159

KEV

no

Activities

very low

Sources

Do you want to use VulDB in your project?

Use the official API to access entries easily!