CVE-2026-1699 – This CVE describes a critical GitHub Actions vu... (How to Fix)

Q: What is the severity of CVE-2026-1699?

CVE-2026-1699 has a CVSS score of 10.0 (CRITICAL). This CVE describes a critical GitHub Actions vulnerability in Eclipse Theia's website repository where the pull_request_target trigger allowed untrusted pull request code execution. This enables any GitHub user to run arbitrary code in the CI environment with extensive permissions, potentially compromising repository secrets and allowing malicious modifications. Organizations using the affected Eclipse Theia Website repository with the vulnerable workflow are at risk.

📋 TL;DR

This CVE describes a critical GitHub Actions vulnerability in Eclipse Theia's website repository where the pull_request_target trigger allowed untrusted pull request code execution. This enables any GitHub user to run arbitrary code in the CI environment with extensive permissions, potentially compromising repository secrets and allowing malicious modifications. Organizations using the affected Eclipse Theia Website repository with the vulnerable workflow are at risk.

💻 Affected Systems

Products:

Eclipse Theia Website repository

Versions: All versions using the vulnerable .github/workflows/preview.yml workflow

Operating Systems: All

Default Config Vulnerable: ⚠️ Yes

Notes: Specifically affects the GitHub Actions workflow configuration in the repository, not the Theia IDE software itself.

⚠️ Manual Verification Required

This CVE does not have specific version information in our database, so automatic vulnerability detection cannot determine if your system is affected.

Why? The CVE database entry doesn't specify which versions are vulnerable (no version ranges provided by the vendor/NVD).

🔒 Custom verification scripts are available for registered users. Sign up free to download automated test scripts.

Recommended Actions:

Review the CVE details at NVD
Check vendor security advisories for your specific version
Test if the vulnerability is exploitable in your environment
Consider updating to the latest version as a precaution

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete compromise of the eclipse-theia organization including exfiltration of all repository secrets, publication of malicious packages to official repositories, modification of the official Theia website to serve malware, and injection of backdoors into the codebase.

🟠

Likely Case

Attackers exfiltrate repository secrets (API keys, tokens) and potentially publish malicious packages or modify website content before detection.

🟢

If Mitigated

Limited impact with proper secret rotation and audit of recent changes, but still requires cleanup of potentially compromised artifacts.

🌐 Internet-Facing: HIGH

🏢 Internal Only: LOW

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: LIKELY

Unauthenticated Exploit: ✅ No

Complexity: LOW

Exploitation requires GitHub account access but the technique is well-known in GitHub Actions security research. The pull_request_target trigger with untrusted code checkout is a documented anti-pattern.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Repository commit that fixes the workflow

Vendor Advisory: https://gitlab.eclipse.org/security/vulnerability-reports/-/issues/332

Restart Required: No

Instructions:

1. Review the fix in the Eclipse security advisory. 2. Update the .github/workflows/preview.yml file to remove pull_request_target trigger or properly sandbox untrusted code. 3. Commit and push the fixed workflow. 4. Rotate all repository secrets (GITHUB_TOKEN, other stored secrets). 5. Audit recent workflow runs for suspicious activity.

🔧 Temporary Workarounds

Disable vulnerable workflow

all

Temporarily disable the preview.yml workflow to prevent exploitation

Navigate to repository Settings > Actions > Workflow permissions, or modify the workflow file to disable it

Restrict workflow permissions

all

Reduce GITHUB_TOKEN permissions to minimum required

In workflow file, set permissions: contents: read (or specific minimal permissions needed)

🧯 If You Can't Patch

Immediately rotate all repository secrets including GITHUB_TOKEN, API keys, and deployment credentials
Disable the vulnerable workflow in repository settings and audit all recent pull requests and workflow executions

🔍 How to Verify

Check if Vulnerable:

Check if .github/workflows/preview.yml uses pull_request_target trigger while checking out and executing code from the pull request (using github.event.pull_request.head.sha)

Check Version:

git log --oneline -n 5 .github/workflows/preview.yml

Verify Fix Applied:

Verify the workflow no longer uses pull_request_target with untrusted code execution, or uses proper sandboxing techniques

📡 Detection & Monitoring

Log Indicators:

Unexpected workflow runs from pull requests, unusual package publications, website modifications from CI/CD
Workflow logs showing code execution from pull_request_target events

Network Indicators:

Unexpected outbound connections from GitHub Actions runners to external IPs
Data exfiltration patterns in workflow network traffic

SIEM Query:

source="github-actions" AND (event="pull_request_target" OR workflow="preview.yml") AND status="completed" | stats count by actor, repository, run_id

📊 Metadata

CVE ID: CVE-2026-1699

CVSS v3 Score: 10.0 (CRITICAL)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H

CWE: CWE-829

EPSS Score: 0.04% exploit probability (9.8th percentile)

Published: January 30, 2026

Last Updated: February 4, 2026

🔗 References

https://gitlab.eclipse.org/security/vulnerability-reports/-/issues/332

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2026-1699, you might also want to check these: