CRITICAL🇵🇱 Wersja polska

CVE-2026-1699

CVSS 10.0v3.1pub. 2026-01-30upd. 2026-03-10

In the Eclipse Theia Website repository, the GitHub Actions workflow .github/workflows/preview.yml used pull_request_target trigger while checking out and executing untrusted pull request code. This allowed any GitHub user to execute arbitrary code in the repository's CI environment with access to repository secrets and a GITHUB_TOKEN with extensive write permissions (contents:write, packages:write, pages:write, actions:write). An attacker could exfiltrate secrets, publish malicious packages to the eclipse-theia organization, modify the official Theia website, and push malicious code to the repository.

🤖 AI Analysis
How it works

The workflow .github/workflows/preview.yml used the pull_request_target trigger, which — unlike pull_request — runs in the context of the target repository (with access to secrets) while simultaneously fetching and executing code from an external pull request. An attacker could open a malicious pull request whose code was then executed in a privileged CI environment with access to repository secrets and a GITHUB_TOKEN with contents:write, packages:write, pages:write, and actions:write permissions. This is a classic 'pwn request' exploitation technique, classified as CWE-829 (Inclusion of Functionality from Untrusted Control Sphere).

Impact

An attacker could steal repository secrets, publish malicious packages to the eclipse-theia organization, modify the official Theia project website, and inject malicious code directly into the repository. The compromise could have affected the software supply chain distributed by the Eclipse organization.

Mitigation & patch

Patches provided by the vendor should be applied according to references. Recommended actions include changing the trigger from pull_request_target to pull_request or adding explicit code verification before execution, restricting GITHUB_TOKEN permissions to the minimum necessary (principle of least privilege), and reviewing all workflows for similar configurations.

Who is affected

Eclipse Theia Website repository — workflow .github/workflows/preview.yml; CI/CD environment based on GitHub Actions with vulnerable pull_request_target trigger configuration

Analysis generated by Claude AI (Anthropic) based on NVD data. Always verify with vendor.
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
  • Eclipse Theia Website

    APP
    Eclipse
    < 2026-01-22
🔵
CHECK WITH VENDOR
No clear patch data available. Check vendor references.
Tags
RCECI/CD
CWE
References

Related vulnerabilities

CVE-2026-2586CRITICAL9.1ten sam vendor

An authenticated Remote Code Execution (RCE) vulnerability was identified in GlassFish's Administration Consol...

CVE-2026-2587CRITICAL9.6ten sam vendor

A critical Remote Code Execution (RCE) vulnerability was identified in the server-side template rendering mech...

CVE-2026-24457CRITICAL9.1PL ✓ten sam vendor

Path Traversal w Eclipse OpenMQ umożliwia odczyt plików i potencjalny RCE

CVE-2026-22886CRITICAL9.8PL ✓ten sam vendor

Eclipse OpenMQ — domyślne dane logowania umożliwiają przejęcie kontroli

CVE-2025-67109CRITICAL10.0PL ✓ten sam vendor

Eclipse Cyclone DDS — błędna weryfikacja czasu certyfikatu umożliwia eskalację uprawnień