Multiple JetBrains Product Vulnerabilities: Account Takeover, Privilege Escalation, and RCE Across Hub, YouTrack, IntelliJ IDEA, Kotlin, GoLand, and TeamCity — Threadlinqs Intelligence
Threat ID: TL-2026-1069 · Severity: HIGH · CVSS: 9.8 · Status: ACTIVE · Category: VULNERABILITY
JetBrains patched a cluster of vulnerabilities across its developer-tool ecosystem (Hub, YouTrack, IntelliJ IDEA, Kotlin, GoLand, TeamCity) spanning authentication bypass, privilege escalation,
JetBrains disclosed and fixed a wide-ranging set of security issues affecting its identity/administration hub (Hub), issue tracker (YouTrack), the Kotlin compiler toolchain, the GoLand IDE, IntelliJ IDEA, and the TeamCity CI/CD server, largely in the May-June 2026 patch cycle. The cluster spans several distinct root causes: (1) authentication and authorization weaknesses in Hub and YouTrack, including a critical (CVSS 9.8) authentication bypass allowing unauthenticated administrative actions (CVE-2026-25848, fixed in Hub 2025.3.119807), plus multiple YouTrack access-control and information-disclosure bugs (CVE-2026-49369, CVE-2026-49370, CVE-2026-49385, CVE-2026-49386); (2) unsafe deserialization in the Kotlin compiler's build-cache metadata handling enabling arbitrary code execution during build operations (CVE-2026-53914, CWE-502, fixed in Kotlin 2.4.20); (3) remote code execution in GoLand when opening a project with untrusted, attacker-controlled configuration, driven by external control of file name/path (CVE-2026-53915, CWE-73, CVSS 8.8, fixed in GoLand 2026.1.3); (4) command injection in IntelliJ IDEA's filename-completion subsystem, where unsanitized filenames reach OS command construction (CVE-2026-49366, CWE-78, CVSS 7.8, fixed in IntelliJ IDEA 2026.1.1), and a related template-injection RCE in IntelliJ IDEA's Copyright plugin (CVE-2026-49382, CWE-1336, CVSS 7.8, fixed in IntelliJ IDEA 2026.1); a prior sandbox-bypass RCE was also fixed in YouTrack's template engine for high-privileged users (CVE-2026-33392, CWE-1336, CVSS 7.2); and (5) a cluster of TeamCity CI/CD server flaws fixed in TeamCity 2026.1: RCE via Perforce VCS-root connection settings (CVE-2026-49373, CWE-88, CVSS 7.1), improper authorization exposing build-configuration parameters including database credentials and API keys via the REST API (CVE-2026-49374, CWE-285/CWE-862, critical), insufficient username validation in the SAML SSO plugin enabling identity-provider assertion spoofing and full account takeover including administrator impersonation (CVE-2026-49376, CVSS 6.5), and information disclosure via parameter autocompletion exposing credentials to low-privileged users (CVE-2026-49378). These build on an already-disclosed high-severity TeamCity API-exposure/privilege-escalation issue (CVE-2026-44413, fixed in TeamCity 2026.1) from May 2026. The combined effect across the product line is that an attacker who compromises Hub/YouTrack identity infrastructure, or who gets a victim to open a malicious project/repository in an affected IDE, or who controls a TeamCity VCS connection (e.g., a malicious or compromised Perforce depot), can pivot to code execution on developer workstations or CI/CD build agents — a textbook software-supply-chain attack path. No CVE in this cluster is listed in the CISA Known Exploited Vulnerabilities catalog as of this writing; JetBrains' historical TeamCity path-traversal flaws (CVE-2024-27198/CVE-2024-27199) remain the only JetBrains entries in KEV, added in 2024 and referenced again by CISA in an April 2026 catalog update, underscoring that this vendor's on-premise CI/CD product has a track record of post-disclosure exploitation and should be prioritized for rapid patching.
Weaknesses (CWE)
CWE-287, CWE-502, CWE-73, CWE-78, CWE-863, CWE-201, CWE-88, CWE-285, CWE-862, CWE-639
Target sectors: technology, softwaredevelopment, finance, government administration, health, criticalinfrastructure
Target regions: Global
Detections & IOCs
This threat has 9 detection rule(s) across Splunk SPL, Microsoft KQL and Sigma, and 21 indicator(s) of compromise. Detection query text and full IOC values are available to authenticated users and programmatically via the Threadlinqs MCP server (Purple tier). View plans.
VULNERABILITY, HIGH, threat intelligence, cybersecurity, CVE-2026-25848, CVE-2026-53914, CVE-2026-53915, CVE-2026-49366, CVE-2026-49369, CVE-2026-49370, CVE-2026-49373, CVE-2026-49374, CVE-2026-49376, CVE-2026-49378, T1199, T1195, T1059, T1203, T1204, T1078, T1505, T1068, T1078, T1211