CVE & CISA-KEV Catalog

CVE-2026-10055

HIGH
8.5
CVSS v3
NVD

Description

In Eclipse Theia since version 1.26.0, the backend /services/request-service RPC accepts an attacker-controlled URL from any client connected to the standard /services messaging endpoint, performs the HTTP request server-side, and returns the full response body to the caller. Because the destination URL is neither validated nor allowlisted, a remote attacker with access to the Theia service connection can issue server-side HTTP requests to localhost or other backend-reachable hosts and read their responses, exposing internal administrative endpoints, cloud instance metadata services, and other resources that are intentionally outside the browser network boundary. The vulnerability affects deployments where the Theia service connection is reachable by untrusted users (for example, multi-tenant or publicly-reachable Theia deployments).

How to fix

No published remediation has been found for this vulnerability's affected products yet.

Mitigation guidance may be in the linked vendor advisories in the References section below.

CVSS v3 Vector

Exploitability

Attack VectorNetwork
Attack ComplexityLow
Privileges RequiredLow
User InteractionNone
ScopeChanged

Impact

ConfidentialityHigh
IntegrityLow
AvailabilityNone

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:L/A:N

Exploit Intelligence

0.30%probability of exploitation in 30 days
21stpercentile

Low risk: more likely to be exploited than 21% of all known CVEs.

References

Embed a live status badge for CVE-2026-10055
CVE-2026-10055 severity badge

Markdown

[![CVE-2026-10055](https://tridentstack.com/cve/badge/CVE-2026-10055.svg)](https://tridentstack.com/cve/CVE-2026-10055)

HTML

<a href="https://tridentstack.com/cve/CVE-2026-10055"><img src="https://tridentstack.com/cve/badge/CVE-2026-10055.svg" alt="CVE-2026-10055"></a>

Find and fix vulnerabilities across your fleet

TridentStack Control continuously scans your Windows, macOS, and Linux fleet for known vulnerabilities, prioritizes them by severity and active exploitation, and patches them automatically.

Start free

This product uses NVD data but is not endorsed or certified by the NVD. EPSS scores courtesy of FIRST.org (https://www.first.org/epss). Source: CISA KEV Catalog. Data as of 2026-07-03.