Severity by source
AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H
Lifecycle Timeline
2DescriptionCVE.org
In JetBrains IntelliJ IDEA before 2026.1.1 command execution was possible via the guest user account
AnalysisAI
Command execution in JetBrains IntelliJ IDEA versions prior to 2026.1.1 allows attackers leveraging the guest user account to run arbitrary commands on the host. The flaw, reported by JetBrains and tagged as an authentication bypass affecting the IDE's collaborative/guest-access functionality, carries a CVSS 8.0 (High) rating with network attack vector but requires low-privilege access and user interaction. No public exploit identified at time of analysis, and the CVE is not listed in CISA KEV.
Technical ContextAI
JetBrains IntelliJ IDEA is a widely deployed integrated development environment for JVM and polyglot software development; it supports collaborative coding sessions (Code With Me / guest sessions) where a host shares a workspace with remote guests who connect under a restricted guest user account. The CWE-862 (Missing Authorization) classification indicates that the IDE failed to enforce proper authorization checks on actions reachable from the guest context, allowing a guest principal to invoke functionality that should have been gated to the host or higher-privileged user - in this case, command execution against the host environment. The CPE cpe:2.3:a:jetbrains:intellij_idea:*:*:*:*:*:*:*:* indicates the wildcard version range is affected up to the fixed build 2026.1.1.
RemediationAI
Upgrade IntelliJ IDEA to version 2026.1.1 or later, which is the Vendor-released patch: 2026.1.1 per JetBrains' fixed-issues advisory at https://www.jetbrains.com/privacy-security/issues-fixed/. Until the upgrade is rolled out across developer workstations, compensating controls include disabling the Code With Me / guest collaboration plugin (Settings → Plugins → disable Code With Me) which removes the guest attack surface entirely at the cost of losing real-time pair-programming functionality, restricting guest sessions to authenticated, internally trusted users only via JetBrains organization/policy settings, and instructing developers not to accept guest connections from untrusted parties. Network-level controls such as blocking outbound connections to JetBrains' relay servers can also prevent guest sessions from being established but will break legitimate collaboration workflows.
More in Intellij Idea
View allCode execution via path traversal in JetBrains IntelliJ IDEA before 2026.1.4 and 2026.2 lets an attacker abuse improper
In JetBrains IntelliJ IDEA before 2023.3.2 code execution was possible in Untrusted Project mode via a malicious plugin
In JetBrains IntelliJ IDEA before 2020.1, the license server could be resolved to an untrusted host in some cases. Rated
In several versions of JetBrains IntelliJ IDEA Ultimate, creating Task Servers configurations leads to saving a cleartex
In several JetBrains IntelliJ IDEA versions, creating remote run configurations of JavaEE application servers leads to s
In several JetBrains IntelliJ IDEA versions, a Spring Boot run configuration with the default setting allowed remote att
In several JetBrains IntelliJ IDEA Ultimate versions, an Application Server run configuration (for Tomcat, Jetty, Resin,
In several versions of JetBrains IntelliJ IDEA Ultimate, creating run configurations for cloud application servers leads
Command injection in JetBrains IntelliJ IDEA before 2026.1.1 allows attackers to execute arbitrary OS commands by abusin
In JetBrains IntelliJ IDEA before 2023.2 plugin for Space was requesting excessive permissions. Rated high severity (CVS
In JetBrains IntelliJ IDEA before 2022.3.1 code Templates were vulnerable to SSTI attacks. Rated high severity (CVSS 7.8
In JetBrains IntelliJ IDEA before 2022.3 a DYLIB injection on macOS was possible. Rated high severity (CVSS 7.8), this v
Same weakness CWE-862 – Missing Authorization
View allSame technique Authentication Bypass
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-33415
GHSA-gjhj-r92c-v3ff