CVE-2026-44688
[Eclipse Theia] Indirect Prompt Injection via Adversarial Workspace File and Directory Names in AI Chat
Description
In Eclipse Theia versions prior to 1.71.0, the AI chat agent processed workspace file and directory names as part of its prompt context without distinguishing them from system instructions. An attacker could craft a malicious repository with adversarial directory or file names that, when analyzed by the AI agent, would cause the agent to follow attacker-controlled instructions (indirect prompt injection). Combined with other AI chat features available in untrusted workspaces, this enabled attack chains leading to data exfiltration via Markdown image rendering or arbitrary command execution via task definitions.
How to fix CVE-2026-44688
To remediate CVE-2026-44688, upgrade the affected package to a fixed version below.
- —upgrade to 1.71.0 or later
- —upgrade to 1.71.0 or later
- —upgrade to 1.71.0 or later
- —upgrade to 1.71.0 or later
- —upgrade to 1.71.0 or later
- —upgrade to 1.71.0 or later
- —upgrade to 1.71.0 or later
Is CVE-2026-44688 being exploited?
No exploitation signal available. Neither CISA KEV nor a current EPSS score has been published for CVE-2026-44688.
Affected packages (7)
- from 0, < 1.71.0
- from 0, < 1.71.0
- from 0, < 1.71.0
- from 0, < 1.71.0
- from 0, < 1.71.0
- from 0, < 1.71.0
- from 0, < 1.71.0
CVSS scores
| Source | Version | Severity | Vector |
|---|---|---|---|
| osv | CVSS 4.0 | — | CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:A/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N |