WebSocket origin validation in @theia/core is fail-open: connections are accepted when the Origin header is missing or when no THEIA_HOSTS allowlist is configured (the default). The Socket.IO integration additionally replaces the real Origin header with a client-supplied fix-origin header that an attacker can control or omit.
As a result, a foreign-origin web page visited by a user with a running Theia instance can open the /services WebSocket namespace, invoke terminal creation, attach to the resulting terminal data channel, execute arbitrary OS commands, and read their output. This affects both local developer setups (drive-by attack) and hosted or tunneled deployments without strong external authentication.
A fix is in development that enforces same-origin validation by default, removes trust in the fix-origin header, gates HTTP and WebSocket access on a SameSite=Strict; HttpOnly connection-token cookie, and sanitizes shell terminal creation options.
Analysis and contextual insights are available on OpenCVE Cloud.
No vendor fix or workaround currently provided.
Additional remediation guidance may be available on OpenCVE Cloud.
Tracking
Sign in to view the affected projects.
No advisories yet.
Tue, 07 Jul 2026 12:15:00 +0000
| Type | Values Removed | Values Added |
|---|---|---|
| Title | Browser Backend Terminal RPC Exposes Remote Code Execution via WebSocket |
Mon, 06 Jul 2026 22:15:00 +0000
| Type | Values Removed | Values Added |
|---|---|---|
| Title | Browser Backend Terminal RPC Exposes Remote Code Execution via WebSocket |
Mon, 06 Jul 2026 15:30:00 +0000
| Type | Values Removed | Values Added |
|---|---|---|
| Metrics |
ssvc
|
Mon, 06 Jul 2026 13:30:00 +0000
| Type | Values Removed | Values Added |
|---|---|---|
| Title | Unauthenticated Terminal Access Exploits Shell Command Execution in Eclipse Theia |
Mon, 06 Jul 2026 04:45:00 +0000
| Type | Values Removed | Values Added |
|---|---|---|
| Title | Unauthenticated Terminal Access Exploits Shell Command Execution in Eclipse Theia |
Sun, 05 Jul 2026 17:15:00 +0000
| Type | Values Removed | Values Added |
|---|---|---|
| Title | Theia Browser Backend Exposes Unauthenticated Terminal RPC Over WebSocket, Enabling Remote Code Execution |
Sun, 05 Jul 2026 05:00:00 +0000
| Type | Values Removed | Values Added |
|---|---|---|
| Title | Theia Browser Backend Exposes Unauthenticated Terminal RPC Over WebSocket, Enabling Remote Code Execution |
Sat, 04 Jul 2026 20:45:00 +0000
| Type | Values Removed | Values Added |
|---|---|---|
| Title | Unrestricted Terminal RPC Allowing Remote Code Execution in Eclipse Theia |
Sat, 04 Jul 2026 09:30:00 +0000
| Type | Values Removed | Values Added |
|---|---|---|
| Title | Unrestricted Terminal RPC Allowing Remote Code Execution in Eclipse Theia |
Sat, 04 Jul 2026 01:15:00 +0000
| Type | Values Removed | Values Added |
|---|---|---|
| Title | Exposed Privileged Terminal RPC via WebSocket Enables Remote Code Execution in Eclipse Theia |
Fri, 03 Jul 2026 17:45:00 +0000
| Type | Values Removed | Values Added |
|---|---|---|
| Title | Exposed Privileged Terminal RPC via WebSocket Enables Remote Code Execution in Eclipse Theia |
Fri, 03 Jul 2026 12:45:00 +0000
| Type | Values Removed | Values Added |
|---|---|---|
| First Time appeared |
Eclipse
Eclipse theia |
|
| Vendors & Products |
Eclipse
Eclipse theia |
Fri, 03 Jul 2026 11:00:00 +0000
| Type | Values Removed | Values Added |
|---|---|---|
| Description | In affected versions of Eclipse Theia (1.8.1 and later), the browser backend exposes privileged terminal RPC over WebSocket (/services/shell-terminal, /services/terminals/:id) without service-level authentication. WebSocket origin validation in @theia/core is fail-open: connections are accepted when the Origin header is missing or when no THEIA_HOSTS allowlist is configured (the default). The Socket.IO integration additionally replaces the real Origin header with a client-supplied fix-origin header that an attacker can control or omit. As a result, a foreign-origin web page visited by a user with a running Theia instance can open the /services WebSocket namespace, invoke terminal creation, attach to the resulting terminal data channel, execute arbitrary OS commands, and read their output. This affects both local developer setups (drive-by attack) and hosted or tunneled deployments without strong external authentication. A fix is in development that enforces same-origin validation by default, removes trust in the fix-origin header, gates HTTP and WebSocket access on a SameSite=Strict; HttpOnly connection-token cookie, and sanitizes shell terminal creation options. | |
| Weaknesses | CWE-1385 CWE-306 |
|
| References |
| |
| Metrics |
cvssV3_1
|
Status: PUBLISHED
Assigner: eclipse
Published:
Updated: 2026-07-07T03:56:07.775Z
Reserved: 2026-05-29T07:35:37.279Z
Link: CVE-2026-10054
Updated: 2026-07-06T14:18:35.722Z
No data.
No data.
OpenCVE Enrichment
Updated: 2026-07-07T12:00:07Z