Eclipse Theia <1.69.0 Untrusted .theia/tasks.json Exec Risk
CVE-2026-44691 Published on June 18, 2026
In Eclipse Theia versions prior to 1.69.0, custom task definitions in workspace files (e.g. .theia/tasks.json, .vscode/tasks.json) could be executed without requiring workspace trust. An attacker could craft a malicious repository that, when cloned and opened in Theia, leads to execution of arbitrary commands with the user's privileges. In combination with AI chat features and a workspace .theia/settings.json that disabled tool confirmation, this could be triggered automatically by sending a message in the AI chat.
Weakness Type
Inclusion of Functionality from Untrusted Control Sphere
The software imports, requires, or includes executable functionality (such as a library) from a source that is outside of the intended control sphere.
Products Associated with CVE-2026-44691
Want to know whenever a new CVE is published for Eclipse Theia? stack.watch will email you.
Affected Versions
Eclipse Foundation Eclipse Theia:- Before 1.69.0 is affected.