CVE-2026-1699 is a critical security vulnerability identified in the Eclipse Theia Website repository's GitHub Actions workflow, specifically in the .github/workflows/preview.yml file. The root cause is the use of the pull_request_target event trigger, which runs workflows in the context of the base branch but allows execution of code from untrusted pull requests. This design flaw enables any GitHub user submitting a pull request to execute arbitrary code within the repository's continuous integration (CI) environment. The workflow has access to sensitive repository secrets and a GITHUB_TOKEN endowed with extensive write permissions, including contents:write, packages:write, pages:write, and actions:write. Consequently, an attacker can exfiltrate confidential secrets, publish malicious packages under the eclipse-theia organization, alter the official Theia website content, and push malicious code directly to the repository. The vulnerability is classified under CWE-829, which involves the inclusion of functionality from an untrusted control sphere, highlighting the risk of executing untrusted code with elevated privileges. The CVSS 3.1 base score is 10.0, indicating critical severity with network attack vector, low attack complexity, no privileges required, no user interaction, and complete impact on confidentiality, integrity, and availability. Although no known exploits in the wild have been reported, the vulnerability's nature and permissions involved make it highly exploitable and dangerous. The issue underscores the risks of insecure CI/CD pipeline configurations and the need for strict controls when handling untrusted code in automated workflows.

For European organizations, especially those involved in software development, open-source contributions, or using Eclipse Theia as part of their tooling, this vulnerability poses a significant risk. Exploitation could lead to unauthorized access to sensitive repository secrets, including credentials and tokens, enabling further lateral movement or supply chain attacks. Attackers could publish malicious packages under trusted Eclipse Theia namespaces, potentially compromising downstream users and organizations relying on these packages. The integrity of the official Theia website could be compromised, damaging trust and potentially distributing misinformation or malicious content. Additionally, attackers could push malicious code directly to the repository, affecting all users who pull updates. This could result in widespread compromise of development environments and production systems. The critical severity and ease of exploitation without authentication or user interaction amplify the threat. European organizations with CI/CD pipelines integrated with GitHub Actions and those contributing to or maintaining Eclipse Theia are particularly vulnerable. The potential for supply chain attacks also raises concerns for the broader European software ecosystem, potentially impacting critical infrastructure and enterprises relying on affected software components.

To mitigate this vulnerability, organizations and maintainers should immediately revise GitHub Actions workflows to avoid using the pull_request_target trigger when executing untrusted code. Instead, use the pull_request trigger, which runs workflows in the context of the pull request's fork and limits access to secrets. Secrets should never be exposed to workflows triggered by untrusted pull requests. Implement strict secret management policies, including rotating and limiting the scope of repository secrets and tokens. Employ least privilege principles for GITHUB_TOKEN permissions, restricting write access to only what is necessary. Use GitHub's environment protection rules and required reviewers to control workflow execution. Additionally, consider isolating CI environments and using ephemeral runners to limit the impact of potential code execution. Regularly audit workflows and repository permissions for security best practices. Monitoring and alerting on unusual repository activity, such as unexpected package publications or code pushes, can help detect exploitation attempts early. Finally, maintain up-to-date dependencies and apply patches promptly once available from the Eclipse Foundation.