What happened
In Eclipse Theia versions prior to 1.71.0 (CVSS 8.4 HIGH, published NVD June 18, 2026), the AI chat agent processed workspace file and directory names as part of its prompt context without distinguishing them from system instructions. An attacker can craft a malicious repository with adversarial directory or file names that, when the repository is opened and analysed by the Theia AI agent, inject attacker-controlled instructions into the model's context — a classic indirect prompt injection via the filesystem.
Why it matters
This is a repository-borne prompt injection attack: a developer clones a malicious repo, opens it in Theia, and the AI agent's system prompt is silently poisoned by adversarial filenames. The agent may then exfiltrate code, execute malicious tool calls, or provide misleading guidance — all without any visible warning to the developer. Combined with Theia's AI tool-calling capabilities, this could achieve code execution or data exfiltration.
Attack vector
Attacker crafts a repository with file or directory names containing prompt injection payloads. When a developer opens the repository in Eclipse Theia and uses the AI chat agent (which includes workspace file names in its context), the injected instructions are processed as trusted system guidance.
Affected systems
Eclipse Theia < 1.71.0
Mitigation
Upgrade to Eclipse Theia 1.71.0 or later. See CVE assignment: https://gitlab.eclipse.org/security/cve-assignment/-/work_items/113