
JetBrains has patched a cluster of critical vulnerabilities across Hub, IntelliJ IDEA, YouTrack, and Kotlin — and if your team runs any self-hosted JetBrains infrastructure, today is your patch day. The headliner is CVE-2026-56141, a CVSS 9.8 flaw in Hub that lets an unauthenticated attacker take over any account — including admins — by exploiting predictable account-restore codes. No credentials required.
Hub: Three Flaws, One Patch
Hub is the identity and SSO layer that ties the JetBrains enterprise stack together. Compromise Hub, and you’re looking at a potential cascade: YouTrack, TeamCity, and any service that federates authentication through it are all downstream of that trust. That’s why the three Hub CVEs in this batch deserve the most immediate attention.
CVE-2026-56141 (CVSS 9.8) is the critical one. Hub’s account-restore codes are generated by a weak random number generator — an unauthenticated attacker who knows a target’s username or email can request a restore, then enumerate valid codes. The result is full account takeover, admin accounts included. No login required. This is the textbook definition of a critical vulnerability: low complexity, no privileges, no user interaction, high impact.
CVE-2026-50242 is a second authentication bypass, this time via direct database access. An attacker who reaches Hub’s data layer can bypass the login stack entirely and gain administrative control. CVE-2026-56142 closes a privilege escalation path where authenticated users could attach unauthorized authentication details to their own account — particularly dangerous in SSO environments where a single account controls access to multiple systems.
All three are fixed in Hub 2026.1.13757, with backports available for the 2025.x and 2024.x release lines. If you run self-hosted Hub, upgrade now.
IntelliJ IDEA: Two RCEs via Project Files
IntelliJ IDEA — used by 84% of Java developers and deployed across 88 of the Fortune Global Top 100 — picked up two high-severity RCE fixes in this round.
CVE-2026-49382 is a template injection in the Copyright plugin. A malicious copyright configuration embedded in a shared repository executes arbitrary code the moment a developer opens the project. The exploit requires user interaction — someone has to open the project — but in an era where cloning repos is second nature, “requires user interaction” is not the safety net it sounds like. The fix is IntelliJ IDEA 2026.1.
CVE-2026-49366 is a command injection vulnerability in filename completion. When a developer invokes autocomplete against attacker-controlled file paths, unsanitized input gets passed to OS-level commands. The fix is IntelliJ IDEA 2026.1.1. If you haven’t updated past 2026.1, this one still applies to you.
JetBrains’ recommendation for unpatched instances is to disable guest collaboration features and rotate credentials handled by the IDE — reasonable interim steps, but not a substitute for upgrading.
YouTrack, Kotlin, and the Rest
The patch train extends further. YouTrack received a fix for CVE-2026-33392, a sandbox-bypass RCE discovered by Hacktron AI and researcher Rahul Maini. The fix is YouTrack 2026.2.16593. Kotlin users on older builds should upgrade to 2.4.20 to address CVE-2026-53914 (CVSS 6.7), which enables code execution through unsafe deserialization in build cache metadata.
These carry lower urgency than the Hub flaws, but they share the same maintenance window. Upgrade everything while you’re in there.
Cloud vs. Self-Hosted: Who Needs to Act
If you use JetBrains Cloud — Space, YouTrack Cloud, or Hub Cloud — JetBrains has already patched your instance. You don’t need to do anything.
If you run self-hosted JetBrains infrastructure, you’re responsible for your upgrade cycle. Hub instances with internet exposure are the highest priority given the unauthenticated nature of CVE-2026-56141. An internet-facing Hub running a pre-patch version is a sitting target.
Patch Version Reference
- Hub: 2026.1.13757 (also patched in 2025.x and 2024.x branches)
- IntelliJ IDEA: 2026.1 (CVE-2026-49382), 2026.1.1 (CVE-2026-49366)
- YouTrack: 2026.2.16593
- Kotlin: 2.4.20
Full details are available on JetBrains’ Fixed Security Issues page. The company backports patches to older major versions — which matters when enterprise teams can’t always jump to the latest major immediately. That’s worth acknowledging. Now go upgrade.













