CVE-2026-10055
Received Received - Intake

Server-Side Request Forgery in Eclipse Theia

Vulnerability report for CVE-2026-10055, including description, CVSS score, EPSS score, affected products, exploitability, helpful resources, and attack-flow context.

Publication date: 2026-07-03

Last updated on: 2026-07-03

Assigner: Eclipse Foundation

Description

In Eclipse Theia since version 1.26.0, the backend /services/request-service RPC accepts an attacker-controlled URL from any client connected to the standard /services messaging endpoint, performs the HTTP request server-side, and returns the full response body to the caller. Because the destination URL is neither validated nor allowlisted, a remote attacker with access to the Theia service connection can issue server-side HTTP requests to localhost or other backend-reachable hosts and read their responses, exposing internal administrative endpoints, cloud instance metadata services, and other resources that are intentionally outside the browser network boundary. The vulnerability affects deployments where the Theia service connection is reachable by untrusted users (for example, multi-tenant or publicly-reachable Theia deployments).

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2026-07-03
Last Modified
2026-07-03
Generated
2026-07-03
AI Q&A
2026-07-03
EPSS Evaluated
N/A
NVD
EUVD

Affected Vendors & Products

Showing 6 associated CPEs
Vendor Product Version / Range
eclipse theia 1.26.0
eclipse theia From 1.26.0 (inc)
eclipse theia to 1.73.0 (inc)
eclipse theia *
theia core *
theia request *

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-200 The product exposes sensitive information to an actor that is not explicitly authorized to have access to that information.
CWE-918 The web server receives a URL or similar request from an upstream component and retrieves the contents of this URL, but it does not sufficiently ensure that the request is being sent to the expected destination.

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Mitigation Strategies

Immediate mitigation steps include restricting access to the /services/request-service RPC endpoint to trusted users only.

Additional measures involve validating or allowlisting destination URLs to prevent server-side requests to unauthorized internal resources.

Network-level controls such as firewall rules or proxy configurations should be used to block or limit outbound HTTP requests from the backend to internal or localhost addresses.

Blocking the RPC endpoint at the proxy layer or restricting network access to the backend service can also reduce exposure.

Upgrading Eclipse Theia to version 1.73.0 or later, where the vulnerability is patched, is a recommended long-term solution.

Executive Summary

CVE-2026-10055 is a Server-Side Request Forgery (SSRF) vulnerability in Eclipse Theia versions 1.26.0 and above. The backend /services/request-service RPC accepts a URL from any client connected to the standard /services messaging endpoint and performs the HTTP request server-side without validating or allowlisting the destination URL.

This allows an attacker with access to the Theia service connection to make the backend fetch and return responses from internal or localhost services that are normally inaccessible from the browser, exposing sensitive internal resources.

Impact Analysis

This vulnerability can lead to unauthorized access to internal administrative endpoints, cloud instance metadata services, and other sensitive internal resources that should be protected from untrusted users.

An attacker with low privileges and no user interaction can exploit this to read confidential information by making the backend server perform HTTP requests to internal services and returning their full response bodies.

This is especially dangerous in multi-tenant or publicly accessible Theia deployments where untrusted users can reach the backend service connection.

Detection Guidance

Detection of this vulnerability involves monitoring for unusual or unauthorized requests to the /services/request-service RPC endpoint in Eclipse Theia deployments.

Specifically, look for HTTP requests sent to the backend that include attacker-controlled URLs targeting localhost or internal services.

Commands to detect potential exploitation attempts could include inspecting network traffic or logs for requests to /services/request-service with suspicious URL parameters.

  • Use network monitoring tools like tcpdump or Wireshark to capture traffic to the Theia service endpoint and filter for requests containing /services/request-service.
  • Example tcpdump command: tcpdump -i <interface> -A 'tcp port 80 or tcp port 443' | grep '/services/request-service'
  • Check Theia server logs for RPC calls to /services/request-service with URLs pointing to localhost or internal IP ranges.
Compliance Impact

This vulnerability allows unauthorized access to internal resources and sensitive data by exposing internal administrative endpoints, cloud instance metadata services, and other protected resources through server-side request forgery (SSRF).

Such unauthorized data exposure can lead to violations of data protection regulations and standards like GDPR and HIPAA, which require strict controls on access to sensitive and personal data.

Because the vulnerability enables attackers to retrieve sensitive internal information without proper authorization, affected deployments may face compliance risks related to confidentiality and data protection requirements.

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-10055. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart