GHSA-g9jw-92q7-g7fjHigh

[Eclipse Theia] Arbitrary Command Execution via Untrusted Workspace Task Definitions

Published
June 18, 2026
Last Modified
June 19, 2026

🔗 CVE IDs covered (1)

📋 Description

In Eclipse Theia versions prior to 1.69.0, custom task definitions in workspace files (e.g. .theia/tasks.json, .vscode/tasks.json) could be executed without requiring workspace trust. An attacker could craft a malicious repository that, when cloned and opened in Theia, leads to execution of arbitrary commands with the user's privileges. In combination with AI chat features and a workspace .theia/settings.json that disabled tool confirmation, this could be triggered automatically by sending a message in the AI chat.

🎯 Affected products3

  • npm/@theia/debug:< 1.69.0
  • npm/@theia/task:< 1.69.0
  • npm/@theia/workspace:< 1.69.0

🔗 References (6)