CVE-2026-44688

CVSS 8.4 HIGHEPSS 0.3%CWE-1427 CWE-829

In short

Eclipse Theia's AI chat feature didn't properly separate file and folder names from instructions, allowing attackers to embed malicious commands in directory names that the AI would execute. This could lead to stealing data or running unauthorized commands on your computer.

Technical detail

CWE-1427 (Uncontrolled Search Path Element) and CWE-829 (Inclusion of Functionality from Untrusted Control Sphere): The AI agent concatenates unsanitized workspace file/directory names into prompt context without prompt injection guards. An attacker can craft a malicious repository with adversarial names that inject instructions into the AI's execution flow, enabling data exfiltration via Markdown image rendering or arbitrary command execution through task definitions in untrusted workspaces.

Summary generated and translated by AI from the official description.

In Eclipse Theia versions prior to 1.71.0, the AI chat agent processed workspace file and directory names as part of its prompt context without distinguishing them from system instructions. An attacker could craft a malicious repository with adversarial directory or file names that, when analyzed by the AI agent, would cause the agent to follow attacker-controlled instructions (indirect prompt injection). Combined with other AI chat features available in untrusted workspaces, this enabled attack chains leading to data exfiltration via Markdown image rendering or arbitrary command execution via task definitions.

CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:A/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

Affected products

Eclipse Foundation · Eclipse Theia

Want to know if your infrastructure is exposed to this?

Talk to TrueHacking →

References

https://gitlab.eclipse.org/security/cve-assignment/-/work_items/113