Arbitrary Command Execution Vulnerability in Eclipse Theia
CVE-2026-44691

8.4HIGH

Key Information:

Vendor: Eclipse Foundation
Status: Eclipse Theia
Vendor: CVE Published:; 18 June 2026

🔔 Create Eclipse Foundation Vulnerability Alert

What is CVE-2026-44691?

In Eclipse Theia versions prior to 1.69.0, a vulnerability allows arbitrary command execution through custom task definitions in workspace files. Malicious actors can exploit this by creating harmful repositories that trigger execution of commands using the user's privileges, particularly when combined with AI chat features. This vulnerability can be further exacerbated by a workspace configuration that disables tool confirmations, potentially leading to automatic execution of commands when the malicious message is sent.

Affected Version(s)

Eclipse Theia 0 < 1.69.0

References

https://gitlab.eclipse.org/security/cve-assignment/-/work...

CVSS V4

Score:

8.4

Severity:

HIGH

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Local

Attack Complexity:

Low

Attack Required:

None

Privileges Required:

Undefined

User Interaction:

Unknown

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Jun 18, 2026
Vulnerability Reserved
May 22, 2026

Credit

Piotr Ryciak (https://gitlab.eclipse.org/void01)

CVE-2026-44691 Data

JSON