Skip to main content

Junie CVE-2026-41153

| EUVDEUVD-2026-23430 MEDIUM
Command Injection (CWE-77)
2026-04-17 JetBrains
5.8
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
5.8 MEDIUM
AV:L/AC:H/PR:N/UI:R/S:U/C:H/I:L/A:L

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:L/AC:H/PR:N/UI:R/S:U/C:H/I:L/A:L
Attack Vector
Local
Attack Complexity
High
Privileges Required
None
User Interaction
Required
Scope
Unchanged
Confidentiality
High
Integrity
Low
Availability
Low

Lifecycle Timeline

6
Patch released
Apr 27, 2026 - 14:58 nvd
Patch available
Patch available
Apr 17, 2026 - 15:16 EUVD
Analysis Generated
Apr 17, 2026 - 15:00 vuln.today
EUVD ID Assigned
Apr 17, 2026 - 14:45 euvd
EUVD-2026-23430
Analysis Generated
Apr 17, 2026 - 14:45 vuln.today
CVE Published
Apr 17, 2026 - 14:29 nvd
MEDIUM 5.8

DescriptionCVE.org

In JetBrains Junie before 252.549.29 command execution was possible via malicious project file

AnalysisAI

Command execution in JetBrains Junie before version 252.549.29 allows local attackers to execute arbitrary commands by crafting malicious project files, requiring user interaction to open the file. The vulnerability affects all Junie versions prior to the patched release and exploits unsafe handling of project file content without proper sanitization.

Technical ContextAI

JetBrains Junie is an IDE that processes project configuration files during workspace initialization. The vulnerability stems from CWE-77 (Improper Neutralization of Special Elements used in a Command), indicating that user-supplied input from malicious project files is passed to command execution functions without adequate validation or escaping. When Junie parses a crafted project file, unsanitized data reaches shell execution routines, allowing injection of arbitrary commands. This is a classic command injection vulnerability where metacharacters or command separators embedded in project file data are not neutralized before being interpreted by the shell.

RemediationAI

Vendor-released patch: JetBrains Junie 252.549.29 or later. Users must upgrade to the fixed version immediately via the JetBrains update mechanism or by downloading the latest release from jetbrains.com. No workaround exists for older versions; the only mitigation is patching. In environments where immediate upgrade is infeasible, restrict user ability to open untrusted project files by disabling auto-loading of projects from untrusted sources, though this degrades usability. Additionally, monitor for suspicious project file sources and educate users not to open project files from unknown or untrusted origins. See https://www.jetbrains.com/privacy-security/issues-fixed/ for official details.

Share

CVE-2026-41153 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy