CVE-2026-22551

In Eclipse Theia versions prior to 1.71.0, the AI chat rendered Markdown image tags from AI responses, triggering HTTP requests to arbitrary external URLs without restriction. Combined with prompt injection in a malicious workspace, an attacker could induce the AI agent to construct image URLs encoding sensitive information from the workspace or conversation context, exfiltrating it to attacker-controlled servers. The workspace trust enforcement introduced in v1.71.0 mitigates the documented attack chain by disabling AI features in untrusted workspaces.

CVSS v3 6.5 MEDIUM

6.5^/10

CVSS v3 : MEDIUM

Vector :

Exploitability : 2.8 / Impact : 3.6

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required NONE

User Interaction REQUIRED

Confidentiality Impact HIGH

Integrity Impact NONE

Availability Impact NONE

Scope UNCHANGED

References

Link	Resource
https://gitlab.eclipse.org/security/cve-assignment/-/work_items/115	Patch Vendor Advisory

Configurations

Configuration 1 (hide)

cpe:2.3:a:eclipse:theia:*:*:*:*:*:*:*:*

History

22 Jun 2026, 20:03

Type	Values Removed	Values Added
CPE		cpe:2.3:a:eclipse:theia::::::::
References	~~() https://gitlab.eclipse.org/security/cve-assignment/-/work_items/115 -~~	() https://gitlab.eclipse.org/security/cve-assignment/-/work_items/115 - Patch, Vendor Advisory
CVSS	v2 : ~~unknown~~ v3 : ~~unknown~~	v2 : unknown v3 : 6.5
First Time		Eclipse theia Eclipse

18 Jun 2026, 17:16

Type	Values Removed	Values Added
New CVE

Information

Published : 2026-06-18 16:16

Updated : 2026-06-22 20:03

NVD link : CVE-2026-22551

Mitre link : CVE-2026-22551

CVE.ORG link : CVE-2026-22551

JSON object : View

Products Affected

eclipse

theia

CWE

CWE-201

Insertion of Sensitive Information Into Sent Data

CWE-829

Inclusion of Functionality from Untrusted Control Sphere

{"id": "CVE-2026-22551", "cveTags": [], "metrics": {"ssvcV203": [{"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "ssvcData": {"id": "CVE-2026-22551", "role": "CISA Coordinator", "options": [{"exploitation": "none"}, {"automatable": "no"}, {"technicalImpact": "partial"}], "version": "2.0.3", "timestamp": "2026-06-18T15:25:00.091475Z"}}], "cvssMetricV31": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 6.5, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N", "integrityImpact": "NONE", "userInteraction": "REQUIRED", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}, "impactScore": 3.6, "exploitabilityScore": 2.8}], "cvssMetricV40": [{"type": "Secondary", "source": "emo@eclipse.org", "cvssData": {"Safety": "NOT_DEFINED", "version": "4.0", "Recovery": "NOT_DEFINED", "baseScore": 6.7, "Automatable": "NOT_DEFINED", "attackVector": "LOCAL", "baseSeverity": "MEDIUM", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:A/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "exploitMaturity": "NOT_DEFINED", "providerUrgency": "NOT_DEFINED", "userInteraction": "ACTIVE", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "NONE", "subIntegrityImpact": "NONE", "vulnIntegrityImpact": "NONE", "integrityRequirement": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "subAvailabilityImpact": "NONE", "vulnAvailabilityImpact": "NONE", "availabilityRequirement": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "subConfidentialityImpact": "NONE", "vulnConfidentialityImpact": "HIGH", "confidentialityRequirement": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "vulnerabilityResponseEffort": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED"}}]}, "affected": [{"source": "emo@eclipse.org", "affectedData": [{"repo": "https://github.com/eclipse-theia/theia", "vendor": "Eclipse Foundation", "product": "Eclipse Theia", "versions": [{"status": "affected", "version": "0", "lessThan": "1.71.0", "versionType": "semver"}], "defaultStatus": "unaffected"}]}], "published": "2026-06-18T16:16:52.960", "references": [{"url": "https://gitlab.eclipse.org/security/cve-assignment/-/work_items/115", "tags": ["Patch", "Vendor Advisory"], "source": "emo@eclipse.org"}], "vulnStatus": "Analyzed", "weaknesses": [{"type": "Secondary", "source": "emo@eclipse.org", "description": [{"lang": "en", "value": "CWE-201"}, {"lang": "en", "value": "CWE-829"}]}], "descriptions": [{"lang": "en", "value": "In Eclipse Theia versions prior to 1.71.0, the AI chat rendered Markdown image tags from AI responses, triggering HTTP requests to arbitrary external URLs without restriction. Combined with prompt injection in a malicious workspace, an attacker could induce the AI agent to construct image URLs encoding sensitive information from the workspace or conversation context, exfiltrating it to attacker-controlled servers. The workspace trust enforcement introduced in v1.71.0 mitigates the documented attack chain by disabling AI features in untrusted workspaces."}], "lastModified": "2026-06-22T20:03:38.537", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:eclipse:theia:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "162528FA-7AE5-4808-8756-2FDF93ED0DD2", "versionEndExcluding": "1.71.0"}], "operator": "OR"}]}], "sourceIdentifier": "emo@eclipse.org"}