PROBABLYPWNED
VulnerabilitiesJuly 7, 20264 min read

JetBrains Patches Critical Flaws Enabling IDE and Hub Takeover

JetBrains fixes CVSS 9.8 account takeover bug in Hub and multiple RCE vulnerabilities across IntelliJ, GoLand, and other IDEs. Update immediately.

Marcus Chen

JetBrains has released patches for multiple critical vulnerabilities affecting its Hub authentication platform and popular IDEs including IntelliJ IDEA, GoLand, and the entire JetBrains product family. The most severe flaw allows unauthenticated attackers to take over any account—including administrator accounts—on self-hosted Hub instances.

Organizations running JetBrains products on-premises should prioritize these updates. The combination of authentication bypass and remote code execution vulnerabilities could allow attackers to compromise development infrastructure, steal source code, or inject malicious code into projects.

Hub Authentication Bypass (CVE-2026-56141, CVSS 9.8)

The most critical vulnerability affects JetBrains Hub, the single sign-on platform that manages authentication for YouTrack, TeamCity, and other JetBrains server products. CVE-2026-56141 stems from a weak random number generator producing predictable account-restore codes.

An unauthenticated attacker can enumerate valid restore codes and hijack any account on the Hub instance—including administrators. Once an attacker controls an admin account, they gain access to every connected JetBrains service: CI/CD pipelines in TeamCity, issue tracking in YouTrack, and potentially the ability to modify builds or inject malicious code.

A second Hub vulnerability, CVE-2026-50242, allows authentication bypass through direct database access, providing another path to administrative control.

IntelliJ IDEA Code Execution Vulnerabilities

IntelliJ IDEA, the flagship IDE used by millions of developers, received patches for two high-severity flaws:

CVE-2026-49366 is a command injection vulnerability triggered through the filename completion feature. When a developer uses autocomplete on specially crafted filenames, the IDE executes attacker-controlled commands. This could be exploited through malicious repositories where an attacker has placed files with weaponized names.

CVE-2026-49367 affects Code With Me, JetBrains' collaborative coding feature. A guest user with minimal permissions can exploit this authentication bypass to execute commands on the host system. Organizations using Code With Me for pair programming or remote collaboration should update before allowing external users into sessions.

GoLand Remote Code Execution (CVE-2026-53915)

GoLand, the Go development IDE, contains a high-severity RCE vulnerability triggered by loading untrusted project configuration files. Opening a malicious project—whether cloned from a repository or received via email—could compromise the developer's machine.

This attack pattern has become increasingly common: attackers create poisoned repositories that exploit IDE parsing vulnerabilities when developers clone and open them. Similar issues have affected VS Code extensions and other development tools.

All JetBrains IDEs Affected

The patches apply across the entire JetBrains IDE ecosystem:

  • IntelliJ IDEA (Community and Ultimate)
  • PyCharm
  • WebStorm
  • GoLand
  • CLion
  • Rider
  • DataGrip
  • RubyMine
  • PhpStorm
  • AppCode

Any organization using JetBrains products should inventory deployed versions and apply updates. Self-hosted Hub, YouTrack, and TeamCity instances require immediate attention due to the account takeover vulnerabilities.

Attack Scenarios

These vulnerabilities create several concerning attack chains:

Supply Chain Compromise: An attacker who gains TeamCity admin access through Hub vulnerabilities can modify build configurations to inject malicious code into software releases. Given how many organizations use JetBrains tools, this represents significant supply chain risk.

Developer Machine Compromise: The IDE vulnerabilities allow attackers to compromise developer workstations through malicious repositories. Once on a developer machine, attackers can steal credentials, access internal repositories, or pivot deeper into corporate networks.

Collaboration Attacks: The Code With Me vulnerability is particularly insidious—an attacker invited as a guest to a coding session could compromise the host's machine while appearing to participate in legitimate collaboration.

Patching Guidance

JetBrains recommends immediate updates:

  1. Hub/YouTrack/TeamCity: Update to the latest versions from JetBrains download servers
  2. Desktop IDEs: Use the built-in updater (Help > Check for Updates) or download fresh installers
  3. Toolbox App users: Enable automatic updates if not already configured

For organizations that cannot immediately patch:

  • Restrict network access to Hub instances to trusted networks only
  • Disable Code With Me until the IntelliJ update is applied
  • Warn developers against opening projects from untrusted sources
  • Audit Hub account-restore activity logs for suspicious enumeration attempts

Broader Context

JetBrains products represent critical infrastructure for many software organizations. We previously covered malicious JetBrains plugins being used to steal API keys—these new vulnerabilities represent a different threat vector targeting the IDEs and authentication systems themselves.

Development tools have become prime targets because compromising a developer often means compromising everything they have access to: source code, cloud credentials, production systems, and the ability to ship malicious code to customers. The JetBrains patches address serious flaws, but they also serve as a reminder that IDEs and development infrastructure require the same security attention as production systems.

Related Articles