Severity by source
CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:H/VI:H/VA:N/SC:H/SI:H/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:H/VI:H/VA:N/SC:H/SI:H/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
6DescriptionCVE.org
A broken access control may allow an authenticated user to perform a horizontal privilege escalation. The vulnerability only impacts specific configurations.
AnalysisAI
A broken access control vulnerability in JetBrains Datalore allows authenticated users to escalate privileges horizontally, accessing resources of other users at the same permission level. The vulnerability affects Datalore versions prior to 2026.1 but only impacts specific configurations. With a CVSS score of 8.8 and high EPSS score of 0.36942, this represents a significant risk, though no active exploitation or proof-of-concept code has been reported publicly.
Technical ContextAI
The vulnerability stems from CWE-639 (Authorization Bypass Through User-Controlled Key), where the application fails to properly validate user permissions when accessing resources. JetBrains Datalore, identified through CPE cpe:2.3:a:jetbrains:datalore:*:*:*:*:*:*:*:* with versions before 2026.1, is a collaborative data science platform that allows teams to work on notebooks and data analysis. The broken access control allows an authenticated user to manipulate identifiers or keys to access data belonging to other users at the same privilege level, bypassing intended authorization boundaries.
RemediationAI
Upgrade JetBrains Datalore to version 2026.1 or later, which contains the security fix for this vulnerability. JetBrains provides detailed upgrade instructions in their security advisory at https://www.jetbrains.com/privacy-security/issues-fixed/. For environments where immediate patching is not feasible, implement additional access controls at the network level, monitor for unusual cross-user access patterns, and review your Datalore configuration to determine if it matches the vulnerable configurations described by JetBrains. Consider implementing additional authentication layers or network segmentation to limit potential horizontal movement.
Same technique Privilege Escalation
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-11772