CVE-2026-1699

CRITICAL

10.0

Beschreibung

In the Eclipse Theia Website repository, the GitHub Actions workflow .github/workflows/preview.yml used pull_request_target trigger while checking out and executing untrusted pull request code. This allowed any GitHub user to execute arbitrary code in the repository's CI environment with access to repository secrets and a GITHUB_TOKEN with extensive write permissions (contents:write, packages:write, pages:write, actions:write). An attacker could exfiltrate secrets, publish malicious packages to the eclipse-theia organization, modify the official Theia website, and push malicious code to the repository.

CVE Details

CVSS v3.1 Bewertung10.0

SchweregradCRITICAL

CVSS VektorCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H

AngriffsvektorNETWORK

KomplexitatLOW

Erforderliche PrivilegienNONE

BenutzerinteraktionNONE

Veroffentlicht1/30/2026

Zuletzt geandert3/10/2026

Quellenvd

Honeypot-Sichtungen0

Betroffene Produkte

eclipse:theia_website

Schwachen (CWE)

CWE-829

Referenzen

https://gitlab.eclipse.org/security/vulnerability-reports/-/issues/332(emo@eclipse.org)

IOC Korrelationen

Keine Korrelationen erfasst

This product uses data from the NVD API but is not endorsed or certified by the NVD.