Skip to main content

IntelliJ IDEA EUVDEUVD-2026-42910

| CVE-2026-59792 CRITICAL
Relative Path Traversal (CWE-23)
2026-07-10 JetBrains GHSA-6f7v-4c46-hrp4
9.8
CVSS 3.1 · NVD
Share

Severity by source

Vendor (JetBrains) PRIMARY
CRITICAL
qualitative
NVD
9.8 CRITICAL
AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
vuln.today AI
7.8 HIGH

Triggered by loading a crafted project, so AV:L and UI:R rather than the NVD's AV:N/UI:N; code execution yields full C/I/A on the victim host.

3.1 AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
4.0 AV:L/AC:L/AT:N/PR:N/UI:P/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

Primary rating from Vendor (JetBrains).

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

7
Analysis Updated
Jul 10, 2026 - 18:58 vuln.today
v3 (cvss_changed)
Analysis Updated
Jul 10, 2026 - 18:58 vuln.today
v2 (cvss_changed)
Re-analysis Queued
Jul 10, 2026 - 18:52 vuln.today
cvss_changed
CVSS changed
Jul 10, 2026 - 18:52 NVD
9.6 (CRITICAL) 9.8 (CRITICAL)
Patch available
Jul 10, 2026 - 16:16 EUVD
Analysis Generated
Jul 10, 2026 - 15:40 vuln.today
CVE Published
Jul 10, 2026 - 14:18 cve.org
CRITICAL 9.6

DescriptionNVD

In JetBrains IntelliJ IDEA before 2026.1.4, 2026.2 code execution via path traversal in project workspace ID handling was possible

AnalysisAI

Code execution via path traversal in JetBrains IntelliJ IDEA before 2026.1.4 and 2026.2 lets an attacker abuse improper sanitization of the project workspace ID to write or reference files outside the intended workspace directory, culminating in arbitrary code execution. The flaw was self-reported by JetBrains and a fix is available; no public exploit has been identified at time of analysis. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Craft project with traversal in workspace ID
Delivery
Deliver malicious project to developer
Exploit
Victim opens project in IntelliJ IDEA
Execution
Path traversal resolves outside workspace
Persist
IDE writes attacker-controlled file
Impact
Execute arbitrary code as developer

Vulnerability AssessmentAI

Exploitation Exploitation targets the project workspace ID handling routine, so the concrete prerequisite is that a vulnerable IntelliJ IDEA (before 2026.1.4, or 2026.2) loads a project carrying an attacker-controlled workspace ID with path-traversal content. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The published CVSS:3.1 vector (AV:N/AC:L/PR:N/UI:N, C:H/I:H/A:H = 9.8) implies fully remote, unauthenticated, no-interaction RCE, but this conflicts with the description, which points to project workspace ID handling - a code path exercised when a project is loaded into the IDE. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An attacker crafts a project (shared via a repository, ZIP, or sample template) whose workspace ID contains traversal sequences; when a developer opens it in a vulnerable IntelliJ IDEA, the IDE resolves the ID outside the workspace and writes to an attacker-controlled path, dropping or overwriting a file that leads to code execution in the developer's context. No public exploit is known, and the low CVSS attack complexity suggests reliable triggering once a victim opens the crafted project.
Remediation Vendor-released patch: upgrade to IntelliJ IDEA 2026.1.4 or later on the 2026.1 branch, and to the patched 2026.2 build, as published on the JetBrains Security page at https://www.jetbrains.com/privacy-security/issues-fixed/; the JetBrains Toolbox App or in-IDE update channel will deliver these. … Detailed patch versions, workarounds, and compensating controls in full report.

Recommended ActionAI

24 hours: Identify all IntelliJ IDEA installations in development environments, determine affected versions (before 2026.1.4), and notify development teams. …

Sign in for detailed remediation steps and compensating controls.

Threat intelligence, references, and detailed analysis are available after sign-in.

CVE-2023-51655 CRITICAL
9.8 Dec 21

In JetBrains IntelliJ IDEA before 2023.3.2 code execution was possible in Untrusted Project mode via a malicious plugin

CVE-2020-11690 CRITICAL
9.8 Apr 22

In JetBrains IntelliJ IDEA before 2020.1, the license server could be resolved to an untrusted host in some cases. Rated

CVE-2019-9873 CRITICAL
9.8 Jul 03

In several versions of JetBrains IntelliJ IDEA Ultimate, creating Task Servers configurations leads to saving a cleartex

CVE-2019-9823 CRITICAL
9.8 Jul 03

In several JetBrains IntelliJ IDEA versions, creating remote run configurations of JavaEE application servers leads to s

CVE-2019-9186 CRITICAL
9.8 Jul 03

In several JetBrains IntelliJ IDEA versions, a Spring Boot run configuration with the default setting allowed remote att

CVE-2019-10104 CRITICAL
9.8 Jul 03

In several JetBrains IntelliJ IDEA Ultimate versions, an Application Server run configuration (for Tomcat, Jetty, Resin,

CVE-2019-9872 HIGH
8.1 Jul 03

In several versions of JetBrains IntelliJ IDEA Ultimate, creating run configurations for cloud application servers leads

CVE-2026-49367 HIGH
8.0 May 29

Command execution in JetBrains IntelliJ IDEA versions prior to 2026.1.1 allows attackers leveraging the guest user accou

CVE-2026-49366 HIGH
7.8 May 29

Command injection in JetBrains IntelliJ IDEA before 2026.1.1 allows attackers to execute arbitrary OS commands by abusin

CVE-2023-39261 HIGH
7.8 Jul 26

In JetBrains IntelliJ IDEA before 2023.2 plugin for Space was requesting excessive permissions. Rated high severity (CVS

CVE-2022-47896 HIGH
7.8 Dec 22

In JetBrains IntelliJ IDEA before 2022.3.1 code Templates were vulnerable to SSTI attacks. Rated high severity (CVSS 7.8

CVE-2022-46828 HIGH
7.8 Dec 08

In JetBrains IntelliJ IDEA before 2022.3 a DYLIB injection on macOS was possible. Rated high severity (CVSS 7.8), this v

Share

EUVD-2026-42910 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy