Skip to main content

JetBrains Hub EUVDEUVD-2026-38008

| CVE-2026-50242 CRITICAL
Missing Authentication for Critical Function (CWE-306)
2026-06-19 JetBrains GHSA-xqpc-xqhc-3crx
9.8
CVSS 3.1 · NVD
Share

Severity by source

Vendor (JetBrains) PRIMARY
CRITICAL
qualitative
NVD
9.8 CRITICAL
AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
vuln.today AI
7.2 HIGH

Description ties the bypass to 'direct database access,' a privileged prerequisite, so PR:H rather than vendor's PR:N; once met, complexity is low and impact is total (C/I/A:H).

3.1 AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
4.0 AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

Primary rating from Vendor (JetBrains).

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

7
Analysis Updated
Jun 26, 2026 - 13:28 vuln.today
v3 (cvss_changed)
Analysis Updated
Jun 26, 2026 - 13:27 vuln.today
v2 (cvss_changed)
Re-analysis Queued
Jun 26, 2026 - 13:22 vuln.today
cvss_changed
CVSS changed
Jun 26, 2026 - 13:22 NVD
10.0 (CRITICAL) 9.8 (CRITICAL)
Patch available
Jun 19, 2026 - 14:31 EUVD
Analysis Generated
Jun 19, 2026 - 13:02 vuln.today
CVE Published
Jun 19, 2026 - 11:49 cve.org
CRITICAL 10.0

DescriptionNVD

In JetBrains Hub before 2026.1.13757, 2025.3.148033, 2025.2.148048, 2025.1.148120, 2024.3.148430, 2024.2.148429 authentication bypass via direct database access leading to administrative access was possible

AnalysisAI

Authentication bypass in JetBrains Hub (the identity and account-management server behind TeamCity, YouTrack, and other JetBrains tools) lets an actor obtain administrative access by going through direct database access, per JetBrains' own advisory. Classified under CWE-306 (Missing Authentication for a Critical Function) and vendor-scored CVSS 9.8, it affects all builds before the fixed 2026.1.13757, 2025.3.148033, 2025.2.148048, 2025.1.148120, 2024.3.148430, and 2024.2.148429 releases. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Reach Hub backend database directly
Exploit
Bypass missing authentication check
Execution
Assert administrative identity in Hub
Impact
Pivot to federated JetBrains tools

Vulnerability AssessmentAI

Exploitation The CVE description names the mechanism: the bypass occurs 'via direct database access,' so the concrete prerequisite is the ability to reach and interact with JetBrains Hub's backend database directly, which then yields administrative access. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment Signals conflict, and that conflict is the headline. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An attacker who can reach JetBrains Hub's backend database - via a misconfigured/exposed database port, a foothold on an adjacent internal host, or reused DB credentials - leverages the missing authentication check to assert administrative identity in Hub without valid login. With admin control of the identity hub, they create or escalate accounts and pivot into federated products such as TeamCity and YouTrack. …
Remediation Apply the vendor-released patch by upgrading JetBrains Hub to the fixed build on your release line: 2026.1.13757, 2025.3.148033, 2025.2.148048, 2025.1.148120, 2024.3.148430, or 2024.2.148429 (whichever matches your major version); details are on JetBrains' fixed-issues page at https://www.jetbrains.com/privacy-security/issues-fixed/. … Detailed patch versions, workarounds, and compensating controls in full report.

Recommended ActionAI

24 hours: Identify and inventory all JetBrains Hub instances; determine current versions and flag any systems running versions prior to 2024.2.148429, 2024.3.148430, 2025.1.148120, 2025.2.148048, 2025.3.148033, or 2026.1.13757. …

Sign in for detailed remediation steps and compensating controls.

Threat intelligence, references, and detailed analysis are available after sign-in.

More in Hub

View all
CVE-2025-65784 MEDIUM POC
6.5 Jan 13

Insecure permissions in Hubert Imoveis e Administracao Ltda Hub v2.0 1.27.3 allows authenticated attackers with low-leve

CVE-2026-56141 CRITICAL
9.8 Jun 19

Account takeover in JetBrains Hub is possible through predictable restore codes, affecting all versions prior to 2026.1.

CVE-2025-65783 CRITICAL
9.8 Jan 13

Hub v2.0 property management system allows unauthenticated arbitrary file upload via /utils/uploadFile. Malicious PDF fi

CVE-2026-25848 CRITICAL
9.1 Feb 09

JetBrains Hub before 2025.3.119807 has an authentication bypass allowing administrative actions without proper credentia

CVE-2026-56142 HIGH
8.8 Jun 19

Privilege escalation in JetBrains Hub (versions prior to 2026.1.13757, 2025.3.148033, 2025.2.148048, 2025.1.148120, 2024

CVE-2026-32229 MEDIUM
6.8 Mar 11

JetBrains Hub versions prior to 2026.1 contain an authentication bypass vulnerability where attackers with valid credent

CVE-2025-64683 MEDIUM
5.3 Nov 10

In JetBrains Hub before 2025.3.104432 information disclosure was possible via the Users API. Rated medium severity (CVSS

CVE-2025-64682 LOW
2.7 Nov 10

In JetBrains Hub before 2025.3.104432 a race condition allowed bypass of the Agent-user limit. Rated low severity (CVSS

CVE-2025-64681 LOW
2.7 Nov 10

In JetBrains Hub before 2025.3.104992 a race condition allowed bypass of the user limit via invitations. Rated low sever

CVE-2025-24456 MEDIUM
6.7 Jan 21

In JetBrains Hub before 2024.3.55417 privilege escalation was possible via LDAP authentication mapping. Rated medium sev

Share

EUVD-2026-38008 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy