In the Eclipse Theia Website repository, the GitHub Actions workflow .github/workflows/preview.yml used pull_request_target trigger while checking out and executing untrusted pull request code. This allowed any GitHub user to execute arbitrary code in the repository's CI environment with access to repository secrets and a GITHUB_TOKEN with extensive write permissions (contents:write, packages:write, pages:write, actions:write). An attacker could exfiltrate secrets, publish malicious packages to the eclipse-theia organization, modify the official Theia website, and push malicious code to the repository.
The workflow .github/workflows/preview.yml used the pull_request_target trigger, which — unlike pull_request — runs in the context of the target repository (with access to secrets) while simultaneously fetching and executing code from an external pull request. An attacker could open a malicious pull request whose code was then executed in a privileged CI environment with access to repository secrets and a GITHUB_TOKEN with contents:write, packages:write, pages:write, and actions:write permissions. This is a classic 'pwn request' exploitation technique, classified as CWE-829 (Inclusion of Functionality from Untrusted Control Sphere).
An attacker could steal repository secrets, publish malicious packages to the eclipse-theia organization, modify the official Theia project website, and inject malicious code directly into the repository. The compromise could have affected the software supply chain distributed by the Eclipse organization.
Patches provided by the vendor should be applied according to references. Recommended actions include changing the trigger from pull_request_target to pull_request or adding explicit code verification before execution, restricting GITHUB_TOKEN permissions to the minimum necessary (principle of least privilege), and reviewing all workflows for similar configurations.
Eclipse Theia Website repository — workflow .github/workflows/preview.yml; CI/CD environment based on GitHub Actions with vulnerable pull_request_target trigger configuration
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:HEclipse Theia Website
APPEclipse< 2026-01-22
Related vulnerabilities
An authenticated Remote Code Execution (RCE) vulnerability was identified in GlassFish's Administration Consol...
A critical Remote Code Execution (RCE) vulnerability was identified in the server-side template rendering mech...
Path Traversal w Eclipse OpenMQ umożliwia odczyt plików i potencjalny RCE
Eclipse OpenMQ — domyślne dane logowania umożliwiają przejęcie kontroli
Eclipse Cyclone DDS — błędna weryfikacja czasu certyfikatu umożliwia eskalację uprawnień