TL;DR
JetBrains has patched six JetBrains vulnerabilities across YouTrack, IntelliJ IDEA, and TeamCity. The most severe, CVE-2026-62422 (CVSS 10.0), allows an authentication bypass in YouTrack via direct database access, leading to administrative access. A critical IntelliJ IDEA flaw, CVE-2026-59792 (CVSS 9.6), enables code execution, while TeamCity 2026.1.2 fixes the remaining four flaws.
Why It Matters
All three products sit deep inside developer workflows. YouTrack tracks issues and projects, IntelliJ IDEA is one of the most widely used Java IDEs, and TeamCity servers hold build pipelines, credentials, and source access. Consequently, these JetBrains vulnerabilities create a path into the software supply chain if left unpatched. A maximum-severity authentication bypass that yields admin rights raises the stakes further.
How the Attacks Work
CVE-2026-62422: YouTrack Authentication Bypass (CVSS 10.0)
The flaw allows an authentication bypass via direct database access. A successful attacker gains administrative access to the YouTrack instance without valid credentials.
CVE-2026-59792: IntelliJ IDEA Code Execution (CVSS 9.6)
This critical flaw stems from path traversal in project workspace ID handling. Its CVSS vector shows a network attack path that requires user interaction, such as opening a malicious project.
Four TeamCity Flaws
CVE-2026-59793 (CVSS 8.8) allows arbitrary file access through the Perforce VCS integration. Meanwhile, CVE-2026-59796 (CVSS 8.1) permits pipeline modification due to improper permission checks. Two stored XSS bugs round out the set: CVE-2026-59795 (CVSS 8.1) via unauthenticated agent registration, and CVE-2026-59794 (CVSS 7.3) via agent-reported data on the cloud profile page.
- Total: 6 CVEs
- Severity: 2 Critical · 4 High
- Actively exploited: None confirmed
- Highest severity: 10.0 (Critical · CVSSv3) — CVE-2026-62422
- Action: Apply the latest security updates now
Notable CVEs
| CVE | CVSS | Type | Fixed in | Status |
|---|---|---|---|---|
| CVE-2026-62422 | 10.0 | CWE-306 | 2026.1.13757, 2025.3.148033, 2025.2.148048, 2025.1.148120, 2024.3.148430, 2024.2.148429 | Not exploited |
| CVE-2026-59792 | 9.6 | CWE-23 | 2026.1.4, 2026.2 | Not exploited |
| CVE-2026-59793 | 8.8 | CWE-73 | 2026.1.2 | Not exploited |
| CVE-2026-59795 | 8.1 | CWE-79 | 2026.1.2 | Not exploited |
| CVE-2026-59796 | 8.1 | CWE-862 | 2026.1.2 | Not exploited |
| CVE-2026-59794 | 7.3 | CWE-79 | 2026.1.2 | Not exploited |
Affected Versions
YouTrack builds before 2026.1.13757, 2025.3.148033, 2025.2.148048, 2025.1.148120, 2024.3.148430, and 2024.2.148429 carry the authentication bypass. IntelliJ IDEA versions before 2026.1.4 and 2026.2 are affected. All four TeamCity flaws affect versions before 2026.1.2.
Exploitation Status
No in-the-wild exploitation or public proof-of-concept has been confirmed for any of the six flaws at this time.
Patch and Mitigation
Administrators should update YouTrack to build 2026.1.13757 or the fixed build for their release line. Developers should update IntelliJ IDEA to 2026.1.4 or 2026.2, and TeamCity operators should upgrade to 2026.1.2. In the meantime, restrict direct database access to YouTrack hosts. Full details appear on the JetBrains security issues fixed page.
Support Our Threat Intelligence
If you find our CVE report and cybersecurity news helpful, consider supporting our work.