CVE-2026-1699
Published: 30 January 2026
Summary
CVE-2026-1699 is a critical-severity Inclusion of Functionality from Untrusted Control Sphere (CWE-829) vulnerability in Eclipse Theia Website. Its CVSS base score is 10.0 (Critical).
Operationally, exploitation aligns with the MITRE ATT&CK technique Compromise Software Supply Chain (T1195.002); ranked at the 11.7th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 AC-6 (Least Privilege) and CM-5 (Access Restrictions for Change).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Requires establishment and enforcement of secure configuration settings for GitHub Actions workflows to prevent use of pull_request_target trigger with untrusted code execution.
Enforces least privilege on GITHUB_TOKEN permissions in CI environments, limiting damage from arbitrary code execution by restricting write access to contents, packages, pages, and actions.
Restricts modifications to configuration-controlled workflow files like preview.yml to authorized roles, preventing introduction or persistence of vulnerable trigger configurations.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Vuln directly enables supply-chain compromise via malicious PR code exec in CI (T1195.002), arbitrary command execution (T1059), and credential/secret exfiltration (T1552.001).
NVD Description
In the Eclipse Theia Website repository, the GitHub Actions workflow .github/workflows/preview.yml used pull_request_target trigger while checking out and executing untrusted pull request code. This allowed any GitHub user to execute arbitrary code in the repository's CI environment with access to…
more
repository secrets and a GITHUB_TOKEN with extensive write permissions (contents:write, packages:write, pages:write, actions:write). An attacker could exfiltrate secrets, publish malicious packages to the eclipse-theia organization, modify the official Theia website, and push malicious code to the repository.
Deeper analysisAI
CVE-2026-1699 is a critical vulnerability (CVSS 10.0, CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H) affecting the Eclipse Theia Website repository. The issue resides in the GitHub Actions workflow file .github/workflows/preview.yml, which uses the pull_request_target trigger while checking out and executing untrusted pull request code. This misconfiguration, tied to CWE-829 (Inclusion of Functionality from Untrusted Control Sphere), exposes the CI environment to arbitrary code execution.
Any GitHub user can exploit this vulnerability by submitting a malicious pull request, triggering the workflow to run untrusted code with elevated privileges. The code executes in the repository's CI environment, gaining access to repository secrets and a GITHUB_TOKEN with broad write permissions (contents:write, packages:write, pages:write, actions:write). Successful exploitation allows attackers to exfiltrate secrets, publish malicious packages to the eclipse-theia organization, modify the official Theia website, and push malicious code directly to the repository.
Mitigation details are documented in the Eclipse security advisory at https://gitlab.eclipse.org/security/vulnerability-reports/-/issues/332, published on 2026-01-30.
Details
- CWE(s)