Logo
-

Byte Open Security

(ByteOS Network)

Log In

Sign Up

ByteOS

Security
Vulnerability Details
Registries
Custom Views
Weaknesses
Attack Patterns
Filters & Tools
CVE Vulnerability Details :
CVE-2026-10054
PUBLISHED
More InfoOfficial Page
Assigner-eclipse
Assigner Org ID-e51fbebd-6053-4e49-959f-1b94eeb69a2c
View Known Exploited Vulnerability (KEV) details
Published At-03 Jul, 2026 | 10:11
Updated At-03 Jul, 2026 | 10:11
Rejected At-
▼CVE Numbering Authority (CNA)

In affected versions of Eclipse Theia (1.8.1 and later), the browser backend exposes privileged terminal RPC over WebSocket (/services/shell-terminal, /services/terminals/:id) without service-level authentication. WebSocket origin validation in @theia/core is fail-open: connections are accepted when the Origin header is missing or when no THEIA_HOSTS allowlist is configured (the default). The Socket.IO integration additionally replaces the real Origin header with a client-supplied fix-origin header that an attacker can control or omit. As a result, a foreign-origin web page visited by a user with a running Theia instance can open the /services WebSocket namespace, invoke terminal creation, attach to the resulting terminal data channel, execute arbitrary OS commands, and read their output. This affects both local developer setups (drive-by attack) and hosted or tunneled deployments without strong external authentication. A fix is in development that enforces same-origin validation by default, removes trust in the fix-origin header, gates HTTP and WebSocket access on a SameSite=Strict; HttpOnly connection-token cookie, and sanitizes shell terminal creation options.

Affected Products
Vendor
Eclipse Foundation AISBLEclipse Foundation
Product
Eclipse Theia
Default Status
unaffected
Versions
Affected
  • From 1.8.1 before 1.73.0 (semver)
Problem Types
TypeCWE IDDescription
CWECWE-1385CWE-1385 Missing origin validation in WebSockets
CWECWE-306CWE-306 Missing authentication for critical function
Type: CWE
CWE ID: CWE-1385
Description: CWE-1385 Missing origin validation in WebSockets
Type: CWE
CWE ID: CWE-306
Description: CWE-306 Missing authentication for critical function
Metrics
VersionBase scoreBase severityVector
3.18.8HIGH
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
Version: 3.1
Base score: 8.8
Base severity: HIGH
Vector:
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
Metrics Other Info
Impacts
CAPEC IDDescription
CAPEC-111CAPEC-111 JSON Hijacking (aka JavaScript Hijacking)
CAPEC-62CAPEC-62 Cross Site Request Forgery
CAPEC ID: CAPEC-111
Description: CAPEC-111 JSON Hijacking (aka JavaScript Hijacking)
CAPEC ID: CAPEC-62
Description: CAPEC-62 Cross Site Request Forgery
Solutions

Configurations

Workarounds

Exploits

Credits

reporter
Anwar Ayoob
Timeline
EventDate
Replaced By

Rejected Reason

References
HyperlinkResource
https://github.com/eclipse-theia/theia/security/advisories/GHSA-78g8-vm3p-97c6
N/A
https://gitlab.eclipse.org/security/vulnerability-reports/-/work_items/376
N/A
Hyperlink: https://github.com/eclipse-theia/theia/security/advisories/GHSA-78g8-vm3p-97c6
Resource: N/A
Hyperlink: https://gitlab.eclipse.org/security/vulnerability-reports/-/work_items/376
Resource: N/A
Details not found