CVE-2026-10055
Severity CVSS v4.0:
Pending analysis
Type:
CWE-200
Information Leak / Disclosure
Publication date:
03/07/2026
Last modified:
03/07/2026
Description
In Eclipse Theia since version 1.26.0, the backend /services/request-service RPC accepts an attacker-controlled URL from any client connected to the standard /services messaging endpoint, performs the HTTP request server-side, and returns the full response body to the caller.<br />
<br />
<br />
<br />
<br />
Because the destination URL is neither validated nor allowlisted, a remote attacker with access to the Theia service connection can issue server-side HTTP requests to localhost or other backend-reachable hosts and read their responses, exposing internal administrative endpoints, cloud instance metadata services, and other resources that are intentionally outside the browser network boundary.<br />
<br />
<br />
<br />
<br />
The vulnerability affects deployments where the Theia service connection is reachable by untrusted users (for example, multi-tenant or publicly-reachable Theia deployments).
Impact
Base Score 3.x
8.50
Severity 3.x
HIGH



