CVE-2026-44691

HIGH EPSS 13.8%

Published Jun 18, 20261w ago · Modified Jun 22, 20261w ago

8.4 CVSS 4.0

High

Published Jun 18, 2026 1w ago

Last Modified Jun 22, 2026 1w ago

Description

In Eclipse Theia versions prior to 1.69.0, custom task definitions in workspace files (e.g. .theia/tasks.json, .vscode/tasks.json) could be executed without requiring workspace trust. An attacker could craft a malicious repository that, when cloned and opened in Theia, leads to execution of arbitrary commands with the user's privileges. In combination with AI chat features and a workspace .theia/settings.json that disabled tool confirmation, this could be triggered automatically by sending a message in the AI chat.

CVSS Details

Base Score

8.4

Exploitability

—

Impact

—

Vector string

CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:A/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Attack Vector Local

Attack Complexity Low

Privileges Required None

User Interaction A

Scope X

Threat Intelligence

EPSS Exploit Probability

13.8% percentile

Exploit & Patch Status

No Known Exploit

Patch Available

Weaknesses 1

CWE-829

Affected Products 1

Vendor	Product	Version	Range
eclipse	theia	*	<1.69.0

References 1

gitlab.eclipse.org https://gitlab.eclipse.org/security/cve-assignment/-/work_items/116

PatchVendor Advisory

Remediation

gitlab.eclipse.org https://gitlab.eclipse.org/security/cve-assignment/-/work_items/116

PatchVendor Advisory