Skip to content
Data Breach

Critical JetBrains Vulnerabilities Enable Authentication Bypass and Code Execution Attacks

JetBrains has released security updates for a cluster of critical vulnerabilities that enable authentication bypass, account takeover, and remote code execution (RCE) across its on‑premise ecosystem, including Hub, YouTrack, IntelliJ‑based IDEs, Kotlin, GoLand, and TeamCity. These flaws put developm...

· Jul 02, 2026 · 3 min read · 👁 2 views
Critical JetBrains Vulnerabilities Enable Authentication Bypass and Code Execution Attacks

JetBrains has released security updates for a cluster of critical vulnerabilities that enable authentication bypass, account takeover, and remote code execution (RCE) across its on‑premise ecosystem, including Hub, YouTrack, IntelliJ‑based IDEs, Kotlin, GoLand, and TeamCity.

These flaws put development and CI/CD environments at direct risk of compromise if organizations delay patching. The most severe issues affect JetBrains Hub and YouTrack, which act as central identity and project management components.

In Hub, one critical bug allows account takeover through predictable restore codes, enabling attackers to guess recovery tokens and hijack existing user accounts systematically.

A second Hub flaw lets attackers escalate privileges by attaching authentication details from other accounts, effectively binding higher‑privilege credentials to their own profile.

JetBrains Vulnerabilities

Even more dangerous, multiple Hub vulnerabilities enable authentication bypass via direct database access and missing checks for administrative actions.

This breaches the trust boundary between the application logic and the data store, granting attackers full admin capabilities without valid credentials.

YouTrack exhibits a similar pattern, with a critical authentication bypass tied to direct database access that allows an attacker to obtain administrative control over the issue‑tracking system.

Alongside these identity‑layer issues, JetBrains has fixed several execution‑level vulnerabilities that can be chained together with compromised accounts to complete an environment takeover.

Kotlin is affected by unsafe deserialization in build cache metadata, allowing specially crafted data to trigger arbitrary code execution during build operations.

GoLand includes a remote code execution flaw rooted in untrusted project configuration, allowing execution of attacker-controlled logic simply by opening a malicious project.

IntelliJ IDEA suffers from multiple execution vectors, including command injection through filename completion and command execution via the guest user account, both of which can be abused when attackers influence project content or guest sessions.

Additional template-driven bugs expand the attack surface for injection-based code execution. A TeamCity flaw enables remote code execution through Perforce connection settings, posing a significant software supply chain risk.

An attacker who first abuses an authentication bypass in Hub or YouTrack and then leverages an RCE primitive in TeamCity or an IDE can pivot from a single foothold to full control over builds, artifacts, and deployments.

Recent 2024–2026 release lines are affected, meaning even relatively up‑to‑date on‑premise instances remain exposed until the latest security builds are applied.

Multi‑tenant or shared JetBrains deployments face an added risk of cross‑project data exposure and build tampering, especially where guest access, remote development, or untrusted projects are common.

JetBrains has shipped fixed versions for all impacted products, including updated Hub and YouTrack releases, patched Kotlin and GoLand builds, and new IntelliJ and TeamCity versions that close the RCE and auth‑bypass paths.

Administrators should prioritize upgrading Hub and YouTrack to the latest available versions, restrict and monitor any direct database access, and enforce strong authentication (including MFA) around JetBrains services.

TeamCity operators must apply the newest security releases, rotate credentials and tokens used in build configurations, and review build logs and configuration histories for suspicious changes.

On developer endpoints, organizations should mandate updates to the latest IDE builds, limit opening of untrusted projects, and revisit plugin trust policies.

Finally, security teams should audit JetBrains logs for anomalous administrative actions and tighten role‑based access controls to reduce the blast radius of similar vulnerabilities in the future.

Download Free Microsoft Vulnerabilities Report 2026
– A The latest Microsoft Vulnerabilities data, analyzed.

Download Now

Source: CybersecurityNews.com

Follow ShomoySoft for more: Follow on Facebook

💬 Comments (0)

Login to join the discussion.

No comments yet. Be the first!

Recommended for you