What happened
In Eclipse Theia versions prior to 1.71.0 (CVSS 6.7 MEDIUM, NVD June 18, 2026), the AI chat rendered Markdown image tags from AI responses, triggering HTTP requests to arbitrary external URLs without restriction. Combined with prompt injection via a malicious workspace (e.g. CVE-2026-44688 or CVE-2026-46580), an attacker could induce the AI agent to construct image URLs encoding exfiltrated data (file contents, credentials) and send them to an attacker-controlled server as part of the rendered response.
Why it matters
This completes a data-exfiltration chain in Eclipse Theia: indirect prompt injection via workspace artifacts (CVE-2026-44688/46580) → AI agent instructed to embed sensitive data in image URL → Theia renders the markdown and the browser/renderer makes an out-of-band HTTP request carrying exfiltrated data to an attacker server. No user interaction beyond opening the repository is required.
Attack vector
Prompt injection via workspace file names or .prompttemplate files instructs the AI agent to include sensitive content in a Markdown image URL. When Theia renders the AI response, an HTTP request is made to the attacker-controlled URL carrying the encoded data.
Affected systems
Eclipse Theia < 1.71.0
Mitigation
Upgrade to Eclipse Theia 1.71.0 or later. See CVE assignment: https://gitlab.eclipse.org/security/cve-assignment/-/work_items/115