CVE-2026-44691
HIGHEclipse Theia < 1.69.0 - Inclusion of Functionality from Untrusted Control Sphere
Title source: ruleDescription
In Eclipse Theia versions prior to 1.69.0, custom task definitions in workspace files (e.g. .theia/tasks.json, .vscode/tasks.json) could be executed without requiring workspace trust. An attacker could craft a malicious repository that, when cloned and opened in Theia, leads to execution of arbitrary commands with the user's privileges. In combination with AI chat features and a workspace .theia/settings.json that disabled tool confirmation, this could be triggered automatically by sending a message in the AI chat.
References (1)
Core 1
Scores
CVSS v3
8.8
EPSS
0.0023
EPSS Percentile
13.9%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
CISA SSVC
Vulnrichment
Exploitation
none
Automatable
no
Technical Impact
total
Details
CWE
CWE-829
Status
published
Products (5)
eclipse/theia
< 1.69.0
Eclipse Foundation/Eclipse Theia
< 1.69.0
theia/debug
0 - 1.69.0npm
theia/task
0 - 1.69.0npm
theia/workspace
0 - 1.69.0npm
Published
Jun 18, 2026
Tracked Since
Jun 18, 2026