- Product: JetBrains (2 products)
- Vulnerabilities: 3 flaws (CVE-2026-50242, CVE-2026-56142, CVE-2026-53915)
- Highest severity: 10.0 (Critical · CVSSv3)
- Worst impact: In JetBrains Hub before 2026.1.13757, 2025.3.148033, 2025.2.148048, 2025.1.148120, 2024.3.148430,...
- Status: No confirmed exploitation yet; patches available
- Action: Update to 2026.1.13757, 2025.3.148033, 2025.2.148048, 2025.1.148120, 2024.3.148430, 2024.2.148429, 2026.1.3 now
| CVE | CVSS | Type | Fixed in | Status |
|---|---|---|---|---|
| CVE-2026-50242 | 10.0 | CWE-306 | 2026.1.13757, 2025.3.148033, 2025.2.148048, 2025.1.148120, 2024.3.148430, 2024.2.148429 | Not exploited |
| CVE-2026-56142 | 9.9 | CWE-915 | 2026.1.13757, 2025.3.148033, 2025.2.148048, 2025.1.148120, 2024.3.148430, 2024.2.148429 | Not exploited |
| CVE-2026-53915 | 7.1 | CWE-73 | 2026.1.3 | Not exploited |
TL;DR
JetBrains fixed three security flaws across Hub, YouTrack, and GoLand. The worst is a JetBrains authentication bypass scored CVSS 10 (CVE-2026-50242). The company found no sign of real-world abuse.
Why It Matters
JetBrains tools reach more than 15 million developers, by the company’s own count. That figure shows the scale of its install base, though direct exposure here is narrower. Hub powers single sign-on and account management for many teams. Therefore, one account flaw can unlock every connected service. A CVSS 10 rating marks the highest possible severity, and the bug needs no prior privileges.
Self-managed Hub and YouTrack Server instances face the real risk. JetBrains Cloud customers were patched by the vendor.
How the Attacks Work
The top bug, CVE-2026-50242, is a JetBrains authentication bypass. An attacker with direct database access could gain administrative control. Next, CVE-2026-56142 (CVSS 9.9) let a low-privileged user escalate rights by attaching authentication details to accounts. The third flaw, CVE-2026-53915 (CVSS 7.1), allowed remote code execution in GoLand through an untrusted project configuration.
Independent researchers and JetBrains uncovered the issues in May 2026 through coordinated disclosure. The vendor then assigned CVEs and shipped fixes.
Affected Versions
The Hub bugs hit builds before 2026.1.13757, 2025.3.148033, 2025.2.148048, 2025.1.148120, 2024.3.148430, and 2024.2.148429. YouTrack Server, which bundles Hub, is affected too. Meanwhile, the GoLand flaw affects releases before 2026.1.3.
Exploitation Status
JetBrains states it found no evidence of exploitation outside testing environments. In addition, no public proof-of-concept exists yet.
Patch and Mitigation
Update now. JetBrains has patched YouTrack Cloud and released fixed builds for Hub, YouTrack Server, and GoLand. Self-managed administrators should upgrade to the listed versions without delay. For the full list, see the JetBrains fixed security issues page.
Support Our Threat Intelligence
If you find our CVE report and cybersecurity news helpful, consider supporting our work.