CVE-2026-1699

10.0 CRITICAL
Published: January 30, 2026 Modified: March 10, 2026
View on NVD

Description

In the Eclipse Theia Website repository, the GitHub Actions workflow .github/workflows/preview.yml used pull_request_target trigger while checking out and executing untrusted pull request code. This allowed any GitHub user to execute arbitrary code in the repository's CI environment with access to repository secrets and a GITHUB_TOKEN with extensive write permissions (contents:write, packages:write, pages:write, actions:write). An attacker could exfiltrate secrets, publish malicious packages to the eclipse-theia organization, modify the official Theia website, and push malicious code to the repository.

AI Explanation

### 1. Plain-Language Summary This vulnerability allowed any GitHub user to run malicious code in the Eclipse Theia Website’s CI environment by submitting a pull request. The CI workflow accidentally executed the attacker’s code with high privileges, exposing secrets and granting write access to the repository and its packages. ### 2. Who Is Affected - **Product:** Eclipse Theia Website repository (GitHub repository: `eclipse-theia/theia-website`). - **Versions:** All versions using the vulnerable workflow (`.github/workflows/preview.yml`) before it was fixed. No specific version tags mentioned—applies to the repository’s state when the workflow was active. ### 3. Attacker Impact An attacker could: - Steal **repository secrets** (e.g., API keys, tokens). - **Publish malicious packages** to the Eclipse Theia organization. - **Modify the official Theia website** (e.g., deface pages, inject malicious content).

Generated: 2026-02-05 16:28

CVSS v3.x Details

0.0 Low Medium High Critical 10.0
Vector String
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H

References to Advisories, Solutions, and Tools

Patch Vendor Advisory Exploit Third Party Advisory
https://gitlab.eclipse.org/security/vulnerability-reports/-/issues/332
Source: emo@eclipse.org
Exploit Issue Tracking Vendor Advisory

1 reference(s) from NVD

Quick Stats

CVSS v3 Score
10.0 / 10.0
EPSS (Exploit Probability)
0.0%
9th percentile
Exploitation Status
Not in CISA KEV

Weaknesses (CWE)

CWE-829

Affected Vendors

eclipse

Related CVEs

CVE-2026-4508 7.3
CVE-2026-3864 6.5
CVE-2026-33476 7.5
CVE-2026-33423 N/A
CVE-2026-33422 3.5