JetBrains has patched a cluster of critical vulnerabilities across its on-premise developer stack, led by CVE-2026-56141, a CVSS 9.8 flaw in JetBrains Hub that lets an unauthenticated attacker seize any account, including admin. The danger is not one bug but the chain: Hub is the identity layer under YouTrack, TeamCity and the IDEs, so taking it over can pivot into remote code execution and control of the builds, artifacts and deployments a software team ships. For any shop running JetBrains tools on its own servers, this is a patch-now event.

  • CVE-2026-56141 (CVSS 9.8) in JetBrains Hub uses predictable account-restore codes from a weak random number generator, letting an unauthenticated attacker take over any account.
  • Two more Hub criticals, CVE-2026-50242 (auth bypass via direct database access) and CVE-2026-56142 (privilege escalation), compound the risk; CVE-2026-50242 also touches YouTrack.
  • Separate RCE bugs hit IntelliJ IDEA (CVE-2026-49366, CVE-2026-49382), GoLand and TeamCity, several triggered by opening untrusted project files.
  • The real threat is a chain: bypass auth in Hub or YouTrack, then land RCE in TeamCity or an IDE, and a single foothold becomes control of the whole CI/CD pipeline.
How the JetBrains flaws chain into pipeline control An attacker takes over an account in Hub via weak restore codes, uses Hub as the identity layer to reach YouTrack and TeamCity, then lands RCE to control builds and deployments. Hub takeoverCVE-2026-56141 · 9.8 YouTrack accessshared auth bypass IDE / TeamCity RCEuntrusted project files Pipeline controlbuilds · artifacts · deploys genztech.blog
Fig 1 The chain that makes this critical: take over an account in Hub, use it as the shared identity layer to reach YouTrack and TeamCity, then land RCE and control the whole build pipeline.

What is the most dangerous bug here?

CVE-2026-56141 in JetBrains Hub, rated CVSS 9.8. Hub is JetBrains' identity and single-sign-on layer, the thing that authenticates users across YouTrack, TeamCity and other on-premise products, which makes a flaw in it uniquely damaging. This one comes from predictable account-restore codes: the codes used to recover an account are generated by a weak random number generator, so an attacker can enumerate valid codes and take over any account without credentials, up to and including administrators. Because Hub sits under so many other tools, seizing a Hub admin account is not just one compromised login, it is potential control of the identity fabric an entire engineering org runs on. Two sibling criticals make it worse: CVE-2026-50242 allows authentication bypass via direct database access, and CVE-2026-56142 lets an attacker attach unauthorized authentication details to existing accounts.

RelatedMicrosoft Patches RoguePlanet Defender Zero-Day

Why is the attack chain the real story?

Because developer tooling is a target-rich environment where one weak link reaches everything. On its own, an account takeover in Hub is serious; an RCE in an IDE is serious; but strung together they are catastrophic. An attacker who abuses the Hub or YouTrack authentication bypass to get inside, then leverages a remote-code-execution primitive in TeamCity or an IntelliJ-based IDE, can pivot from a single foothold to full control over builds, artifacts and deployments. That is a supply-chain nightmare: compromise the build server and you can poison the software a company ships to its own customers. The individual CVEs are the ingredients; the chain from login bypass to build takeover is the actual threat, and it is why this cluster matters more than any one bug's score.

How do the IDE bugs get triggered?

CVEProductTypeTrigger
CVE-2026-56141HubAccount takeover (9.8)Predictable restore codes
CVE-2026-50242Hub / YouTrackAuth bypassDirect database access
CVE-2026-49382IntelliJ IDEARCECopyright-plugin template injection
CVE-2026-49366IntelliJ IDEACommand injectionFilename completion on hostile paths
CVE-2026-53915GoLandRCEUntrusted project config files

The pattern in the IDE bugs is the same lesson developers keep relearning: opening a project is not a passive act. Filename completion against attacker-controlled paths, a malicious Copyright-plugin template, or a rigged project config file can all run code the moment you interact with a cloned repository, which is why untrusted repos should be opened in disposable containers, not on your main workstation.

What should teams do now?

Action · now
  • Patch the identity layer first. Upgrade Hub to 2026.1.13757 or the backported LTS build for your branch. It underpins everything else, so it is the priority.
  • Update every JetBrains product. IntelliJ IDEA 2026.1.1, GoLand 2026.1.3, and the fixed TeamCity and YouTrack builds. Do not patch Hub and forget the rest.
  • Rotate credentials. Assume anything the IDE or Hub handled could be exposed. Rotate tokens and secrets, and review admin accounts for unauthorized changes.
  • Isolate untrusted repos. Until patched, disable guest collaboration and open suspicious projects only inside a throwaway VM or container.

Our take

The scariest thing about this batch is not the 9.8 score, it is what the tools sit on top of. Developer infrastructure is the ultimate high-value target, because whoever controls your build server controls the software you ship to everyone downstream, and JetBrains Hub, YouTrack and TeamCity are exactly that infrastructure for a huge number of teams. A weak random number generator producing guessable restore codes is a basic, avoidable mistake in the one component whose entire job is trust, and it is a reminder that identity code deserves the harshest scrutiny of anything you run. The individual patches are straightforward; the discipline they demand is not, because you have to patch the whole stack, rotate what it touched, and change how you open untrusted code. Teams that treat this as a one-line Hub update and move on are the ones a determined attacker will chain straight through to their pipeline.

Primary sources

Original analysis by GenZTech. Figures current as of July 2026.