Severity by source
AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Network-reachable recovery flow with no auth or UI, but predicting a restore code within its validity window is non-trivial, so AC:H; full account takeover yields C/I/A:H.
Primary rating from Vendor (JetBrains).
CVSS VectorVendor: JetBrains
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Lifecycle Timeline
3DescriptionCVE.org
In JetBrains Hub before 2026.1.13757, 2025.3.148033, 2025.2.148048, 2025.1.148120, 2024.3.148430, 2024.2.148429 account takeover via predictable restore codes was possible
AnalysisAI
Account takeover in JetBrains Hub is possible through predictable restore codes, affecting all versions prior to 2026.1.13757, 2025.3.148033, 2025.2.148048, 2025.1.148120, 2024.3.148430, and 2024.2.148429. Remote unauthenticated attackers can guess or predict the restore codes used for account recovery, enabling them to seize control of arbitrary user accounts. …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | Exploitation requires that the JetBrains Hub account-recovery (restore code) workflow be reachable by the attacker and that a restore code be generated for a target account - either by the attacker initiating the recovery flow against a known username/email, or by intercepting a legitimate recovery in progress. … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | The CVSS 3.1 vector AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H portrays this as a remote, unauthenticated, low-complexity attack with full CIA impact - a profile that typically warrants top-priority remediation, especially given Hub's role as an SSO/identity broker. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | An attacker enumerates valid usernames on an internet-exposed JetBrains Hub instance, triggers the account recovery (restore code) flow for a target administrator, and then predicts or guesses the restore code values based on the weak PRNG seeding or limited entropy. Submitting the predicted code via the standard password-reset endpoint yields a session for the targeted account, after which the attacker uses Hub's federation to pivot into TeamCity, YouTrack, or other connected JetBrains services. |
| Remediation | Vendor-released patch: upgrade JetBrains Hub to 2026.1.13757, 2025.3.148033, 2025.2.148048, 2025.1.148120, 2024.3.148430, or 2024.2.148429 depending on the maintenance branch in use, per https://www.jetbrains.com/privacy-security/issues-fixed/. … Detailed patch versions, workarounds, and compensating controls in full report. |
Recommended ActionAI
24 hours: Inventory all JetBrains Hub instances and document current versions; enable audit logging for all account recovery attempts; implement network-level access restrictions to Hub administrative interfaces. …
Sign in for detailed remediation steps and compensating controls.
Threat intelligence, references, and detailed analysis are available after sign-in.
Insecure permissions in Hubert Imoveis e Administracao Ltda Hub v2.0 1.27.3 allows authenticated attackers with low-leve
Authentication bypass in JetBrains Hub (the identity and account-management server behind TeamCity, YouTrack, and other
Hub v2.0 property management system allows unauthenticated arbitrary file upload via /utils/uploadFile. Malicious PDF fi
JetBrains Hub before 2025.3.119807 has an authentication bypass allowing administrative actions without proper credentia
Privilege escalation in JetBrains Hub (versions prior to 2026.1.13757, 2025.3.148033, 2025.2.148048, 2025.1.148120, 2024
JetBrains Hub versions prior to 2026.1 contain an authentication bypass vulnerability where attackers with valid credent
In JetBrains Hub before 2025.3.104432 information disclosure was possible via the Users API. Rated medium severity (CVSS
In JetBrains Hub before 2025.3.104432 a race condition allowed bypass of the Agent-user limit. Rated low severity (CVSS
In JetBrains Hub before 2025.3.104992 a race condition allowed bypass of the user limit via invitations. Rated low sever
In JetBrains Hub before 2024.3.55417 privilege escalation was possible via LDAP authentication mapping. Rated medium sev
Same technique Information Disclosure
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-38006
GHSA-cq2r-w6jr-x35w