JetBrains Hub ships 2026.1.13757 patching two critical auth-bypass CVEs
JetBrains Hub 2026.1.13757 fixes CVE-2026-50242 (CVSS 10.0 auth bypass) and CVE-2026-56141 (CVSS 9.8 account takeover via predictable restore codes). LTS backports available.
JetBrains has published fixes for a cluster of critical vulnerabilities in Hub, the identity and access-management component that authenticates users for YouTrack, TeamCity and other on-prem JetBrains services. The vendor's fixed-issues bulletin lists three Hub CVEs, two of them critical. All are resolved in Hub 2026.1.13757, with backports for the 2025.3, 2025.2, 2025.1, 2024.3 and 2024.2 branches. Every self-hosted Hub deployment is in scope.
The critical Hub CVEs
- CVE-2026-50242 — CVSS 10.0. Authentication bypass reachable via direct database access, categorised under CWE-306 (Missing Authentication for Critical Function). An unauthenticated network attacker can reach sensitive configuration paths and obtain administrative control without valid credentials. Reported by researcher Tuan Anh Lai.
- CVE-2026-56141 — CVSS 9.8 (
AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H). Account takeover via predictable restore codes in Hub's account-recovery flow. The recovery mechanism generated codes with insufficient randomness (CWE-338, Cryptographically Weak PRNG); an unauthenticated attacker who knows or can guess a target username or email can enumerate valid codes and hijack any account — including administrators. - CVE-2026-56142 — Privilege escalation via unsafe attachment of authentication details to existing accounts. An authenticated user can manipulate linked authentication records to escalate.
Because Hub is the identity provider for the whole JetBrains on-prem stack, a compromised Hub account cascades: an attacker with admin on Hub can pivot to any linked YouTrack, TeamCity, or Space instance.
Affected versions
Hub before 2026.1.13757, and the following LTS lines:
2025.3before2025.3.1480332025.2before2025.2.1480482025.1before2025.1.1481202024.3before2024.3.1484302024.2before2024.2.148429
Cloud-hosted JetBrains services are managed by JetBrains and out of scope for the on-prem patch cycle. The CVEs are self-hosted-only.
Also patched: IntelliJ IDEA
The same disclosure cycle covers two IntelliJ IDEA issues, resolved in IntelliJ IDEA 2026.1.1:
- CVE-2026-49366 — Command injection triggered via filename completion.
- CVE-2026-49367 — Authentication bypass in Code With Me, letting a low-privileged guest in a collaboration session execute commands on the host system.
Both are High severity per JetBrains's tracking.
Exploitation status
No public PoC and no in-the-wild reports at time of publication. Neither CISA KEV nor CERT-FR carries a matching entry. That does not lower the urgency: CVE-2026-50242 is unauthenticated, network-reachable, and CVSS 10.0, and CVE-2026-56141 is exploitable by anyone who can guess or enumerate a valid Hub account name. Both are the shape of bugs that turn up in mass-scanning traffic within days.
Action checklist
- Upgrade Hub to 2026.1.13757 or the matching LTS patch for your branch. There is no configuration mitigation for CVE-2026-50242 — the fix is the patch.
- Force a global session invalidation on Hub after upgrading. CVE-2026-56141 could have quietly minted valid sessions before you noticed.
- Restrict network access to Hub's admin surface. If Hub is publicly reachable, put it behind a VPN or IP allowlist while you patch; the pre-auth attack surface is exactly what an internet-facing Hub exposes.
- Audit Hub's linked authentication records (SAML/OIDC/OAuth external providers) for entries you did not add. CVE-2026-56142 lets an attacker attach authentication details to an account — the artifact is an unexpected linked identity on a real user.
- Rotate credentials for accounts you cannot rule out as impacted. Anyone whose Hub username or email is public (project committers, external contributors) is guessable by definition.
- Upgrade IntelliJ IDEA to 2026.1.1 on developer workstations. The Code With Me bypass in CVE-2026-49367 makes any active collaboration session a potential RCE.
Standing context
Hub is the second JetBrains disclosure of the quarter after the June marketplace ecosystem update around malicious AI plugins in the IDE marketplace. Two different failure modes — supply-chain in June, identity provider in July — but the same practical exposure surface: any team running the on-prem JetBrains stack has to treat Hub and the marketplace as part of its own attack surface, not the vendor's.
CVSS 10.0 auth-bypasses in identity providers used to be a Keycloak-and-Okta beat. The Keycloak 26.6.4 disclosure covered by CERT-FR on June 29 and now the Hub cluster land inside a week of each other; if you operate more than one identity broker, treat this as a coincident-patch window and coordinate the maintenance work.