PatchSiren cyber security CVE debrief
CVE-2026-46580 Eclipse Foundation CVE debrief
CVE-2026-46580 is a HIGH-severity vulnerability in Eclipse Theia, a cloud-native, multi-protocol IDE framework. In versions prior to 1.71.0, Theia automatically loaded files matching the pattern `.prompts/*.prompttemplate` in a workspace, allowing an attacker to craft malicious repository containing prompt template files. When a workspace was opened in Theia, these files could replace the AI's system instructions with attacker-controlled content, enabling indirect prompt injection. This vulnerability, combined with other AI chat features available in untrusted workspaces, could lead to data exfiltration via Markdown image rendering or arbitrary command execution via task definitions. Users of affected Theia versions should update to 1.71.0 or later to mitigate this vulnerability.
- Vendor
- Eclipse Foundation
- Product
- Eclipse Theia
- CVSS
- HIGH 8.4
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2026-06-18
- Original CVE updated
- 2026-06-22
- Advisory published
- 2026-06-18
- Advisory updated
- 2026-06-22
Who should care
Developers and users of Eclipse Theia, especially those working with AI-powered features in untrusted workspaces, should be aware of this vulnerability. Additionally, security teams and administrators responsible for managing and securing development environments should take note of this issue and ensure that Theia instances are updated to a secure version.
Technical summary
The vulnerability exists in Eclipse Theia versions prior to 1.71.0. Theia's automatic loading of `.prompts/*.prompttemplate` files in a workspace allows an attacker to inject malicious prompts. This can be exploited through a crafted repository, enabling indirect prompt injection when the workspace is opened. The CVSS score for this vulnerability is 8.4, indicating a HIGH severity level. The CVSS vector is CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:A/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X.
Defensive priority
HIGH
Recommended defensive actions
- Update Eclipse Theia to version 1.71.0 or later
- Verify that all workspaces and repositories are trusted before opening them in Theia
- Implement strict access controls for workspaces and repositories
- Monitor for suspicious activity in Theia workspaces
- Use secure protocols for data exchange and storage
- Regularly review and update Theia and its dependencies
Evidence notes
The information provided is based on data from the NVD and CVE.org. The CVE record and NVD detail pages provide official information about the vulnerability. The source item URL provides additional context from the NVD's vulnerability database.
Official resources
-
CVE-2026-46580 CVE record
CVE.org
-
CVE-2026-46580 NVD detail
NVD
-
Source item URL
nvd_modified
- Source reference
public