Severity by source
AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:N/A:N
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:N/A:N
Lifecycle Timeline
6DescriptionCVE.org
In JetBrains IntelliJ IDEA before 2024.3.7.1, 2025.1.7.1, 2025.2.6.2, 2025.3.4.1, 2026.1.1 reading arbitrary local files was possible via built-in web server
AnalysisAI
Local file disclosure in IntelliJ IDEA's built-in web server allows remote attackers to read arbitrary local files via network requests requiring user interaction. JetBrains IDEA versions before 2024.3.7.1, 2025.1.7.1, 2025.2.6.2, 2025.3.4.1, and 2026.1.1 are affected. The vulnerability achieves scope change (CVSS S:C) enabling cross-context information theft with high confidentiality impact but no integrity or availability damage. No active exploitation (KEV-absent) or public POC identified at time of analysis, though vendor disclosure suggests controlled remediation timeline.
Technical ContextAI
The vulnerability stems from CWE-59 (Improper Link Resolution Before File Access, 'Link Following'), affecting JetBrains IntelliJ IDEA's built-in development web server. This embedded HTTP server, typically running on localhost during development workflows, failed to properly validate and sanitize file path requests. The CVSS scope change (S:C) indicates the vulnerable component (web server) can impact resources beyond its security scope, allowing attackers to access files outside the web server's intended document root. The attack leverages path traversal or symbolic link manipulation through specially crafted HTTP requests to the built-in server, exploiting insufficient canonicalization of file paths before access control checks. IntelliJ IDEA's web server is commonly used for live preview, debugging web applications, and serving static content during development-features that require file system access but demand strict sandboxing to prevent unauthorized file disclosure.
RemediationAI
Upgrade IntelliJ IDEA to the patched versions corresponding to your release branch: 2024.3.7.1 (for 2024.3.x users), 2025.1.7.1 (for 2025.1.x), 2025.2.6.2 (for 2025.2.x), 2025.3.4.1 (for 2025.3.x), or 2026.1.1 (for 2026.1.x early adopters). Updates are available through JetBrains Toolbox, in-IDE update mechanisms, or direct download from jetbrains.com. Consult the official security advisory at https://www.jetbrains.com/privacy-security/issues-fixed/ for version-specific upgrade paths. If immediate patching is not feasible, disable the built-in web server when not actively needed via Settings > Build, Execution, Deployment > Debugger > Built-in server (uncheck 'Allow unsigned requests'). Note this mitigation breaks live preview and browser-based debugging workflows. Network-level controls provide limited protection given UI:R attack vector requires browser interaction rather than direct server exploitation. Organizations should prioritize patching developer workstations and audit for sensitive files inadvertently exposed if exploitation occurred during the vulnerability window.
More in Intellij Idea
View allCode execution via path traversal in JetBrains IntelliJ IDEA before 2026.1.4 and 2026.2 lets an attacker abuse improper
In JetBrains IntelliJ IDEA before 2023.3.2 code execution was possible in Untrusted Project mode via a malicious plugin
In JetBrains IntelliJ IDEA before 2020.1, the license server could be resolved to an untrusted host in some cases. Rated
In several versions of JetBrains IntelliJ IDEA Ultimate, creating Task Servers configurations leads to saving a cleartex
In several JetBrains IntelliJ IDEA versions, creating remote run configurations of JavaEE application servers leads to s
In several JetBrains IntelliJ IDEA versions, a Spring Boot run configuration with the default setting allowed remote att
In several JetBrains IntelliJ IDEA Ultimate versions, an Application Server run configuration (for Tomcat, Jetty, Resin,
In several versions of JetBrains IntelliJ IDEA Ultimate, creating run configurations for cloud application servers leads
Command execution in JetBrains IntelliJ IDEA versions prior to 2026.1.1 allows attackers leveraging the guest user accou
Command injection in JetBrains IntelliJ IDEA before 2026.1.1 allows attackers to execute arbitrary OS commands by abusin
In JetBrains IntelliJ IDEA before 2023.2 plugin for Space was requesting excessive permissions. Rated high severity (CVS
In JetBrains IntelliJ IDEA before 2022.3.1 code Templates were vulnerable to SSTI attacks. Rated high severity (CVSS 7.8
Same weakness CWE-59 – Improper Link Resolution Before File Access
View allSame technique Information Disclosure
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-26368