CVE-2026-44691

HIGH

Eclipse Theia < 1.69.0 - Inclusion of Functionality from Untrusted Control Sphere

Title source: rule
STIX 2.1

Description

In Eclipse Theia versions prior to 1.69.0, custom task definitions in workspace files (e.g. .theia/tasks.json, .vscode/tasks.json) could be executed without requiring workspace trust. An attacker could craft a malicious repository that, when cloned and opened in Theia, leads to execution of arbitrary commands with the user's privileges. In combination with AI chat features and a workspace .theia/settings.json that disabled tool confirmation, this could be triggered automatically by sending a message in the AI chat.

Scores

CVSS v3 8.8
EPSS 0.0023
EPSS Percentile 13.9%
Attack Vector NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

CISA SSVC

Vulnrichment
Exploitation none
Automatable no
Technical Impact total

Details

CWE
CWE-829
Status published
Products (5)
eclipse/theia < 1.69.0
Eclipse Foundation/Eclipse Theia < 1.69.0
theia/debug 0 - 1.69.0npm
theia/task 0 - 1.69.0npm
theia/workspace 0 - 1.69.0npm
Published Jun 18, 2026
Tracked Since Jun 18, 2026