Severity by source
AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
Project files are obtained over the network and opened without prior auth (AV:N/PR:N), but require the developer to open the malicious project (UI:R), giving full code execution in the user context (C/I/A:H).
Primary rating from Vendor (JetBrains).
CVSS VectorNVD
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
Lifecycle Timeline
6DescriptionNVD
In JetBrains GoLand before 2026.1.3 remote code execution was possible via untrusted project configuration
AnalysisAI
Remote code execution in JetBrains GoLand before 2026.1.3 lets an attacker run arbitrary code on a developer's machine when the victim opens a maliciously crafted project whose configuration is untrusted. The flaw, reported by JetBrains itself and assigned CVSS 8.8 with high confidentiality, integrity, and availability impact, requires the user to open the booby-trapped project (UI:R) but no prior authentication on the IDE. …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | Exploitation requires the victim to open or import an untrusted/attacker-supplied project in a vulnerable GoLand build (before 2026.1.3) where the project's configuration is trusted and processed by the IDE - this matches the UI:R in the CVSS vector. … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | The signals are mixed and point to elevated-but-not-emergency risk. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | An attacker publishes a Go repository (or sends one to a target developer) that contains crafted project/configuration files. When the developer clones and opens it in a vulnerable GoLand build, the IDE processes the untrusted configuration during project load and executes attacker-controlled code on the developer's workstation. … |
| Remediation | Upgrade to GoLand 2026.1.3 or later (Vendor-released patch: 2026.1.3), which is available from the vendor and documented at https://www.jetbrains.com/privacy-security/issues-fixed/. … Detailed patch versions, workarounds, and compensating controls in full report. |
Recommended ActionAI
Within 24 hours: Identify all GoLand installations in your development organization and their current versions. …
Sign in for detailed remediation steps and compensating controls.
Threat intelligence, references, and detailed analysis are available after sign-in.
GitHub access token could be exposed to third-party sites in JetBrains IDEs after version 2023.1 and less than: IntelliJ
In JetBrains GoLand before 2019.3.2, the plugin repository was accessed via HTTP instead of HTTPS. Rated high severity (
In JetBrains GoLand before 2025.1 an XXE during debugging was possible. Rated medium severity (CVSS 4.1), this vulnerabi
Same weakness CWE-73 – External Control of File Name or Path
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-38005
GHSA-hmp8-wrw4-r24c