Description
In affected versions of Eclipse Theia (1.8.1 and later), the browser backend exposes privileged terminal RPC over WebSocket (/services/shell-terminal, /services/terminals/:id) without service-level authentication.




WebSocket origin validation in @theia/core is fail-open: connections are accepted when the Origin header is missing or when no THEIA_HOSTS allowlist is configured (the default). The Socket.IO integration additionally replaces the real Origin header with a client-supplied fix-origin header that an attacker can control or omit.




As a result, a foreign-origin web page visited by a user with a running Theia instance can open the /services WebSocket namespace, invoke terminal creation, attach to the resulting terminal data channel, execute arbitrary OS commands, and read their output. This affects both local developer setups (drive-by attack) and hosted or tunneled deployments without strong external authentication.




A fix is in development that enforces same-origin validation by default, removes trust in the fix-origin header, gates HTTP and WebSocket access on a SameSite=Strict; HttpOnly connection-token cookie, and sanitizes shell terminal creation options.
Published: 2026-07-03
Score: 8.8 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Analysis and contextual insights are available on OpenCVE Cloud.

Remediation

No vendor fix or workaround currently provided.

Additional remediation guidance may be available on OpenCVE Cloud.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Tue, 07 Jul 2026 12:15:00 +0000

Type Values Removed Values Added
Title Browser Backend Terminal RPC Exposes Remote Code Execution via WebSocket

Mon, 06 Jul 2026 22:15:00 +0000

Type Values Removed Values Added
Title Browser Backend Terminal RPC Exposes Remote Code Execution via WebSocket

Mon, 06 Jul 2026 15:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}


Mon, 06 Jul 2026 13:30:00 +0000

Type Values Removed Values Added
Title Unauthenticated Terminal Access Exploits Shell Command Execution in Eclipse Theia

Mon, 06 Jul 2026 04:45:00 +0000

Type Values Removed Values Added
Title Unauthenticated Terminal Access Exploits Shell Command Execution in Eclipse Theia

Sun, 05 Jul 2026 17:15:00 +0000

Type Values Removed Values Added
Title Theia Browser Backend Exposes Unauthenticated Terminal RPC Over WebSocket, Enabling Remote Code Execution

Sun, 05 Jul 2026 05:00:00 +0000

Type Values Removed Values Added
Title Theia Browser Backend Exposes Unauthenticated Terminal RPC Over WebSocket, Enabling Remote Code Execution

Sat, 04 Jul 2026 20:45:00 +0000

Type Values Removed Values Added
Title Unrestricted Terminal RPC Allowing Remote Code Execution in Eclipse Theia

Sat, 04 Jul 2026 09:30:00 +0000

Type Values Removed Values Added
Title Unrestricted Terminal RPC Allowing Remote Code Execution in Eclipse Theia

Sat, 04 Jul 2026 01:15:00 +0000

Type Values Removed Values Added
Title Exposed Privileged Terminal RPC via WebSocket Enables Remote Code Execution in Eclipse Theia

Fri, 03 Jul 2026 17:45:00 +0000

Type Values Removed Values Added
Title Exposed Privileged Terminal RPC via WebSocket Enables Remote Code Execution in Eclipse Theia

Fri, 03 Jul 2026 12:45:00 +0000

Type Values Removed Values Added
First Time appeared Eclipse
Eclipse theia
Vendors & Products Eclipse
Eclipse theia

Fri, 03 Jul 2026 11:00:00 +0000

Type Values Removed Values Added
Description In affected versions of Eclipse Theia (1.8.1 and later), the browser backend exposes privileged terminal RPC over WebSocket (/services/shell-terminal, /services/terminals/:id) without service-level authentication. WebSocket origin validation in @theia/core is fail-open: connections are accepted when the Origin header is missing or when no THEIA_HOSTS allowlist is configured (the default). The Socket.IO integration additionally replaces the real Origin header with a client-supplied fix-origin header that an attacker can control or omit. As a result, a foreign-origin web page visited by a user with a running Theia instance can open the /services WebSocket namespace, invoke terminal creation, attach to the resulting terminal data channel, execute arbitrary OS commands, and read their output. This affects both local developer setups (drive-by attack) and hosted or tunneled deployments without strong external authentication. A fix is in development that enforces same-origin validation by default, removes trust in the fix-origin header, gates HTTP and WebSocket access on a SameSite=Strict; HttpOnly connection-token cookie, and sanitizes shell terminal creation options.
Weaknesses CWE-1385
CWE-306
References
Metrics cvssV3_1

{'score': 8.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H'}


cve-icon MITRE

Status: PUBLISHED

Assigner: eclipse

Published:

Updated: 2026-07-07T03:56:07.775Z

Reserved: 2026-05-29T07:35:37.279Z

Link: CVE-2026-10054

cve-icon Vulnrichment

Updated: 2026-07-06T14:18:35.722Z

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-07-07T12:00:07Z

Weaknesses