CVE-2026-10055
Gravedad CVSS v3.1:
ALTA
Tipo:
CWE-200
Revelación de información
Fecha de publicación:
03/07/2026
Última modificación:
03/07/2026
Descripción
*** Pendiente de traducción *** In Eclipse Theia since version 1.26.0, the backend /services/request-service RPC accepts an attacker-controlled URL from any client connected to the standard /services messaging endpoint, performs the HTTP request server-side, and returns the full response body to the caller.<br />
<br />
<br />
<br />
<br />
Because the destination URL is neither validated nor allowlisted, a remote attacker with access to the Theia service connection can issue server-side HTTP requests to localhost or other backend-reachable hosts and read their responses, exposing internal administrative endpoints, cloud instance metadata services, and other resources that are intentionally outside the browser network boundary.<br />
<br />
<br />
<br />
<br />
The vulnerability affects deployments where the Theia service connection is reachable by untrusted users (for example, multi-tenant or publicly-reachable Theia deployments).
Impacto
Puntuación base 3.x
8.50
Gravedad 3.x
ALTA



