Privilege Escalation Vulnerability in Eclipse Theia by Eclipse Foundation
CVE-2026-10054

8.8HIGH

Key Information:

Vendor
CVE Published:
3 July 2026

What is CVE-2026-10054?

In certain versions of Eclipse Theia, the browser backend exposes terminal services without adequate authentication, allowing remote code execution through vulnerable WebSocket connections. The failure to validate the Origin header enables attackers to exploit the system by accessing shell terminals and executing arbitrary OS commands. This situation is exacerbated in environments lacking strong external authentication measures. Developers should ensure they apply the forthcoming patch to enforce appropriate origin validation and enhance overall security.

Affected Version(s)

Eclipse Theia 1.8.1 < 1.73.0

References

CVSS V3.1

Score:
8.8
Severity:
HIGH
Confidentiality:
High
Integrity:
High
Availability:
High
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
None
User Interaction:
Required
Scope:
Unchanged

Timeline

  • Vulnerability published

  • Vulnerability Reserved

Credit

Anwar Ayoob
.