CVE-2026-10054
Received Received - Intake

WebSocket Origin Validation Flaw in Eclipse Theia

Vulnerability report for CVE-2026-10054, including description, CVSS score, EPSS score, affected products, exploitability, helpful resources, and attack-flow context.

Publication date: 2026-07-03

Last updated on: 2026-07-03

Assigner: Eclipse Foundation

Description

In affected versions of Eclipse Theia (1.8.1 and later), the browser backend exposes privileged terminal RPC over WebSocket (/services/shell-terminal, /services/terminals/:id) without service-level authentication. WebSocket origin validation in @theia/core is fail-open: connections are accepted when the Origin header is missing or when no THEIA_HOSTS allowlist is configured (the default). The Socket.IO integration additionally replaces the real Origin header with a client-supplied fix-origin header that an attacker can control or omit. As a result, a foreign-origin web page visited by a user with a running Theia instance can open the /services WebSocket namespace, invoke terminal creation, attach to the resulting terminal data channel, execute arbitrary OS commands, and read their output. This affects both local developer setups (drive-by attack) and hosted or tunneled deployments without strong external authentication. A fix is in development that enforces same-origin validation by default, removes trust in the fix-origin header, gates HTTP and WebSocket access on a SameSite=Strict; HttpOnly connection-token cookie, and sanitizes shell terminal creation options.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2026-07-03
Last Modified
2026-07-03
Generated
2026-07-03
AI Q&A
2026-07-03
EPSS Evaluated
N/A
NVD
EUVD

Affected Vendors & Products

Showing 3 associated CPEs
Vendor Product Version / Range
eclipse theia From 1.8.1 (inc)
theia core From 1.8.1 (inc)
theia terminal From 1.8.1 (inc)

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-1385 The product uses a WebSocket, but it does not properly verify that the source of data or communication is valid.
CWE-306 The product does not perform any authentication for functionality that requires a provable user identity or consumes a significant amount of resources.

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Executive Summary

CVE-2026-10054 is a vulnerability in Eclipse Theia versions 1.8.1 and later, where the browser backend exposes privileged terminal RPC over WebSocket endpoints (/services/shell-terminal, /services/terminals/:id) without proper service-level authentication.

The WebSocket origin validation in the @theia/core package is fail-open, meaning connections are accepted even when the Origin header is missing or when no THEIA_HOSTS allowlist is configured. Additionally, the Socket.IO integration replaces the real Origin header with a client-controlled fix-origin header, which attackers can manipulate or omit.

As a result, a malicious webpage from a foreign origin can connect to the Theia backend's WebSocket namespace, create a terminal, execute arbitrary operating system commands, and read their output without authentication or authorization. This affects both local developer setups and hosted or tunneled deployments lacking strong external authentication.

Impact Analysis

This vulnerability can have severe impacts including unauthorized remote code execution and data exfiltration. An attacker can execute arbitrary OS commands on the affected system by exploiting the exposed terminal RPC over WebSocket.

It affects confidentiality, integrity, and availability of the system by allowing attackers to run commands and read their output, potentially compromising sensitive data and system stability.

Both local developer environments (via drive-by attacks) and hosted or tunneled Theia deployments without strong authentication are at risk, which could lead to full system compromise.

Detection Guidance

This vulnerability can be detected by attempting to connect to the Eclipse Theia backend WebSocket endpoints related to terminal services, specifically /services/shell-terminal and /services/terminals/:id, from a foreign origin or unauthorized client.

One practical detection method is to try executing a command such as `id` through the WebSocket terminal interface to verify if arbitrary command execution is possible without authentication.

A known exploit involves using a script that starts Theia on one port and serves a malicious webpage on another, which connects to the WebSocket namespace and executes commands to confirm the vulnerability.

  • Attempt to connect to ws://<theia-host>/services/shell-terminal or /services/terminals/:id using a WebSocket client from a different origin.
  • Use a WebSocket client or script to send commands like `id` through the terminal channel and check if the output is returned.
  • Monitor network traffic for unauthorized WebSocket connections to the /services namespace.
Mitigation Strategies

Immediate mitigation steps include restricting access to the Theia backend terminal services and enforcing authentication and authorization.

  • Configure the THEIA_HOSTS environment variable to restrict allowed WebSocket origins.
  • Isolate the Theia backend from untrusted networks to prevent unauthorized remote access.
  • Use a reverse proxy in front of Theia that enforces strong authentication and authorization.
  • Disable the terminal service entirely if it is not required.

A fix is in development that will enforce same-origin validation by default, remove trust in the fix-origin header, and gate access using secure cookies.

Compliance Impact

The vulnerability allows an attacker to execute arbitrary OS commands and read their output by exploiting missing authentication and origin validation in the Eclipse Theia terminal services. This leads to a high risk of unauthorized access to sensitive data and system control.

Such unauthorized access and potential data exfiltration can result in violations of common security requirements found in standards and regulations like GDPR and HIPAA, which mandate protection of sensitive data and strict access controls.

Therefore, if an organization uses affected versions of Eclipse Theia without proper mitigations, it may fail to comply with these regulations due to the risk of data breaches and unauthorized system access.

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-10054. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart