Privilege Escalation Vulnerability in Eclipse Theia by Eclipse Foundation
CVE-2026-10054
8.8HIGH
What is CVE-2026-10054?
In certain versions of Eclipse Theia, the browser backend exposes terminal services without adequate authentication, allowing remote code execution through vulnerable WebSocket connections. The failure to validate the Origin header enables attackers to exploit the system by accessing shell terminals and executing arbitrary OS commands. This situation is exacerbated in environments lacking strong external authentication measures. Developers should ensure they apply the forthcoming patch to enforce appropriate origin validation and enhance overall security.
Affected Version(s)
Eclipse Theia 1.8.1 < 1.73.0
