Skip to main content

IntelliJ IDEA EUVDEUVD-2026-26368

| CVE-2026-41882 HIGH
Improper Link Resolution Before File Access (CWE-59)
2026-04-30 JetBrains
7.4
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
7.4 HIGH
AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:N/A:N

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:N/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
Required
Scope
Changed
Confidentiality
High
Integrity
None
Availability
None

Lifecycle Timeline

6
Patch released
Apr 30, 2026 - 15:13 nvd
Patch available
Patch available
Apr 30, 2026 - 13:01 EUVD
Analysis Generated
Apr 30, 2026 - 12:15 vuln.today
EUVD ID Assigned
Apr 30, 2026 - 12:00 euvd
EUVD-2026-26368
Analysis Generated
Apr 30, 2026 - 12:00 vuln.today
CVE Published
Apr 30, 2026 - 11:05 nvd
HIGH 7.4

DescriptionCVE.org

In JetBrains IntelliJ IDEA before 2024.3.7.1, 2025.1.7.1, 2025.2.6.2, 2025.3.4.1, 2026.1.1 reading arbitrary local files was possible via built-in web server

AnalysisAI

Local file disclosure in IntelliJ IDEA's built-in web server allows remote attackers to read arbitrary local files via network requests requiring user interaction. JetBrains IDEA versions before 2024.3.7.1, 2025.1.7.1, 2025.2.6.2, 2025.3.4.1, and 2026.1.1 are affected. The vulnerability achieves scope change (CVSS S:C) enabling cross-context information theft with high confidentiality impact but no integrity or availability damage. No active exploitation (KEV-absent) or public POC identified at time of analysis, though vendor disclosure suggests controlled remediation timeline.

Technical ContextAI

The vulnerability stems from CWE-59 (Improper Link Resolution Before File Access, 'Link Following'), affecting JetBrains IntelliJ IDEA's built-in development web server. This embedded HTTP server, typically running on localhost during development workflows, failed to properly validate and sanitize file path requests. The CVSS scope change (S:C) indicates the vulnerable component (web server) can impact resources beyond its security scope, allowing attackers to access files outside the web server's intended document root. The attack leverages path traversal or symbolic link manipulation through specially crafted HTTP requests to the built-in server, exploiting insufficient canonicalization of file paths before access control checks. IntelliJ IDEA's web server is commonly used for live preview, debugging web applications, and serving static content during development-features that require file system access but demand strict sandboxing to prevent unauthorized file disclosure.

RemediationAI

Upgrade IntelliJ IDEA to the patched versions corresponding to your release branch: 2024.3.7.1 (for 2024.3.x users), 2025.1.7.1 (for 2025.1.x), 2025.2.6.2 (for 2025.2.x), 2025.3.4.1 (for 2025.3.x), or 2026.1.1 (for 2026.1.x early adopters). Updates are available through JetBrains Toolbox, in-IDE update mechanisms, or direct download from jetbrains.com. Consult the official security advisory at https://www.jetbrains.com/privacy-security/issues-fixed/ for version-specific upgrade paths. If immediate patching is not feasible, disable the built-in web server when not actively needed via Settings > Build, Execution, Deployment > Debugger > Built-in server (uncheck 'Allow unsigned requests'). Note this mitigation breaks live preview and browser-based debugging workflows. Network-level controls provide limited protection given UI:R attack vector requires browser interaction rather than direct server exploitation. Organizations should prioritize patching developer workstations and audit for sensitive files inadvertently exposed if exploitation occurred during the vulnerability window.

CVE-2026-59792 CRITICAL
9.8 Jul 10

Code execution via path traversal in JetBrains IntelliJ IDEA before 2026.1.4 and 2026.2 lets an attacker abuse improper

CVE-2023-51655 CRITICAL
9.8 Dec 21

In JetBrains IntelliJ IDEA before 2023.3.2 code execution was possible in Untrusted Project mode via a malicious plugin

CVE-2020-11690 CRITICAL
9.8 Apr 22

In JetBrains IntelliJ IDEA before 2020.1, the license server could be resolved to an untrusted host in some cases. Rated

CVE-2019-9873 CRITICAL
9.8 Jul 03

In several versions of JetBrains IntelliJ IDEA Ultimate, creating Task Servers configurations leads to saving a cleartex

CVE-2019-9823 CRITICAL
9.8 Jul 03

In several JetBrains IntelliJ IDEA versions, creating remote run configurations of JavaEE application servers leads to s

CVE-2019-9186 CRITICAL
9.8 Jul 03

In several JetBrains IntelliJ IDEA versions, a Spring Boot run configuration with the default setting allowed remote att

CVE-2019-10104 CRITICAL
9.8 Jul 03

In several JetBrains IntelliJ IDEA Ultimate versions, an Application Server run configuration (for Tomcat, Jetty, Resin,

CVE-2019-9872 HIGH
8.1 Jul 03

In several versions of JetBrains IntelliJ IDEA Ultimate, creating run configurations for cloud application servers leads

CVE-2026-49367 HIGH
8.0 May 29

Command execution in JetBrains IntelliJ IDEA versions prior to 2026.1.1 allows attackers leveraging the guest user accou

CVE-2026-49366 HIGH
7.8 May 29

Command injection in JetBrains IntelliJ IDEA before 2026.1.1 allows attackers to execute arbitrary OS commands by abusin

CVE-2023-39261 HIGH
7.8 Jul 26

In JetBrains IntelliJ IDEA before 2023.2 plugin for Space was requesting excessive permissions. Rated high severity (CVS

CVE-2022-47896 HIGH
7.8 Dec 22

In JetBrains IntelliJ IDEA before 2022.3.1 code Templates were vulnerable to SSTI attacks. Rated high severity (CVSS 7.8

Share

EUVD-2026-26368 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy