JetBrains Patches Critical Flaws Enabling IDE and Hub Takeover
JetBrains fixes CVSS 9.8 account takeover bug in Hub and multiple RCE vulnerabilities across IntelliJ, GoLand, and other IDEs. Update immediately.
JetBrains has released patches for multiple critical vulnerabilities affecting its Hub authentication platform and popular IDEs including IntelliJ IDEA, GoLand, and the entire JetBrains product family. The most severe flaw allows unauthenticated attackers to take over any account—including administrator accounts—on self-hosted Hub instances.
Organizations running JetBrains products on-premises should prioritize these updates. The combination of authentication bypass and remote code execution vulnerabilities could allow attackers to compromise development infrastructure, steal source code, or inject malicious code into projects.
Hub Authentication Bypass (CVE-2026-56141, CVSS 9.8)
The most critical vulnerability affects JetBrains Hub, the single sign-on platform that manages authentication for YouTrack, TeamCity, and other JetBrains server products. CVE-2026-56141 stems from a weak random number generator producing predictable account-restore codes.
An unauthenticated attacker can enumerate valid restore codes and hijack any account on the Hub instance—including administrators. Once an attacker controls an admin account, they gain access to every connected JetBrains service: CI/CD pipelines in TeamCity, issue tracking in YouTrack, and potentially the ability to modify builds or inject malicious code.
A second Hub vulnerability, CVE-2026-50242, allows authentication bypass through direct database access, providing another path to administrative control.
IntelliJ IDEA Code Execution Vulnerabilities
IntelliJ IDEA, the flagship IDE used by millions of developers, received patches for two high-severity flaws:
CVE-2026-49366 is a command injection vulnerability triggered through the filename completion feature. When a developer uses autocomplete on specially crafted filenames, the IDE executes attacker-controlled commands. This could be exploited through malicious repositories where an attacker has placed files with weaponized names.
CVE-2026-49367 affects Code With Me, JetBrains' collaborative coding feature. A guest user with minimal permissions can exploit this authentication bypass to execute commands on the host system. Organizations using Code With Me for pair programming or remote collaboration should update before allowing external users into sessions.
GoLand Remote Code Execution (CVE-2026-53915)
GoLand, the Go development IDE, contains a high-severity RCE vulnerability triggered by loading untrusted project configuration files. Opening a malicious project—whether cloned from a repository or received via email—could compromise the developer's machine.
This attack pattern has become increasingly common: attackers create poisoned repositories that exploit IDE parsing vulnerabilities when developers clone and open them. Similar issues have affected VS Code extensions and other development tools.
All JetBrains IDEs Affected
The patches apply across the entire JetBrains IDE ecosystem:
- IntelliJ IDEA (Community and Ultimate)
- PyCharm
- WebStorm
- GoLand
- CLion
- Rider
- DataGrip
- RubyMine
- PhpStorm
- AppCode
Any organization using JetBrains products should inventory deployed versions and apply updates. Self-hosted Hub, YouTrack, and TeamCity instances require immediate attention due to the account takeover vulnerabilities.
Attack Scenarios
These vulnerabilities create several concerning attack chains:
Supply Chain Compromise: An attacker who gains TeamCity admin access through Hub vulnerabilities can modify build configurations to inject malicious code into software releases. Given how many organizations use JetBrains tools, this represents significant supply chain risk.
Developer Machine Compromise: The IDE vulnerabilities allow attackers to compromise developer workstations through malicious repositories. Once on a developer machine, attackers can steal credentials, access internal repositories, or pivot deeper into corporate networks.
Collaboration Attacks: The Code With Me vulnerability is particularly insidious—an attacker invited as a guest to a coding session could compromise the host's machine while appearing to participate in legitimate collaboration.
Patching Guidance
JetBrains recommends immediate updates:
- Hub/YouTrack/TeamCity: Update to the latest versions from JetBrains download servers
- Desktop IDEs: Use the built-in updater (Help > Check for Updates) or download fresh installers
- Toolbox App users: Enable automatic updates if not already configured
For organizations that cannot immediately patch:
- Restrict network access to Hub instances to trusted networks only
- Disable Code With Me until the IntelliJ update is applied
- Warn developers against opening projects from untrusted sources
- Audit Hub account-restore activity logs for suspicious enumeration attempts
Broader Context
JetBrains products represent critical infrastructure for many software organizations. We previously covered malicious JetBrains plugins being used to steal API keys—these new vulnerabilities represent a different threat vector targeting the IDEs and authentication systems themselves.
Development tools have become prime targets because compromising a developer often means compromising everything they have access to: source code, cloud credentials, production systems, and the ability to ship malicious code to customers. The JetBrains patches address serious flaws, but they also serve as a reminder that IDEs and development infrastructure require the same security attention as production systems.
Related Articles
Langflow Flaw Lets Anyone Execute Code on AI Workflow Servers
CVE-2026-10134 enables unauthenticated RCE in Langflow OSS through public flows. Attackers can run arbitrary Python on servers via the build endpoint.
Jul 7, 2026libssh2 Pre-Auth RCE (CVE-2026-55200) PoC Now Public
A critical memory corruption flaw in libssh2 lets malicious SSH servers execute code on connecting clients—no credentials needed. PoC dropped June 29.
Jun 30, 2026Splunk Enterprise RCE Flaw Under Active Attack — PoC Public
CVE-2026-20253 in Splunk Enterprise lets unauthenticated attackers execute code via an unprotected PostgreSQL sidecar. Over 1,400 instances exposed. Patch or disable the service now.
Jun 26, 2026PixelSmash FFmpeg Bug Turns Media Files Into RCE Weapons
CVE-2026-8461 is a heap overflow in FFmpeg's MagicYUV decoder that enables remote code execution via malicious video files. Jellyfin, Kodi, and Nextcloud affected.
Jun 23, 2026