Critical JetBrains Vulnerabilities Enable Authentication Bypass and Code Execution Attacks
JetBrains has released critical security updates for multiple vulnerabilities affecting its on-premise ecosystem, including Hub, YouTrack, IDEs, Kotlin, and TeamCity, enabling authentication bypass and remote code execution.

JetBrains has issued urgent security updates to address a significant cluster of critical vulnerabilities impacting its on-premise ecosystem. These flaws span across essential development tools and infrastructure, including JetBrains Hub, YouTrack, various IntelliJ-based IDEs, Kotlin, GoLand, and TeamCity. The vulnerabilities collectively enable attackers to bypass authentication, take over accounts, and execute arbitrary code remotely, posing a substantial risk to development pipelines and CI/CD environments.
The most severe issues are concentrated in JetBrains Hub and YouTrack, which serve as central components for identity management and project tracking. In Hub, attackers can exploit predictable restore codes to hijack user accounts and gain administrative privileges. A separate vulnerability allows for privilege escalation by enabling attackers to attach authentication details from other accounts to their own profile. Furthermore, multiple Hub vulnerabilities permit authentication bypass through direct database access, granting attackers full administrative control without valid credentials.
YouTrack mirrors these critical identity-layer risks, featuring an authentication bypass tied to direct database access that can lead to administrative takeover of the issue-tracking system. These identity-focused flaws can be chained with other vulnerabilities to achieve complete environment compromise. The severity is amplified by the fact that recent release lines, including 2024-2026 versions, are affected, meaning even up-to-date instances require immediate patching.
Beyond authentication and account takeover, JetBrains has also patched several critical remote code execution (RCE) vulnerabilities. In Kotlin, unsafe deserialization in build cache metadata can lead to arbitrary code execution during build operations. GoLand is vulnerable due to untrusted project configurations, allowing RCE simply by opening a malicious project. IntelliJ IDEA suffers from multiple RCE vectors, including command injection via filename completion and execution through the guest user account, especially when attackers can influence project content or guest sessions.
TeamCity, a crucial component for continuous integration and continuous delivery, is also affected by an RCE vulnerability linked to Perforce connection settings. This poses a significant risk to the software supply chain, as a compromised TeamCity instance can lead to the tampering of builds, artifacts, and deployments. The ability to chain an authentication bypass in Hub or YouTrack with an RCE primitive in TeamCity or an IDE allows attackers to move from an initial foothold to full control over the development and deployment infrastructure.
Organizations utilizing multi-tenant or shared JetBrains deployments face an elevated risk of cross-project data exposure and build tampering, particularly in environments that commonly use guest access, remote development, or handle untrusted projects. The broad impact across JetBrains' product suite underscores the interconnectedness of development toolchains and the cascading effects of security failures.
JetBrains has released updated versions for all impacted products, including Hub, YouTrack, Kotlin, GoLand, IntelliJ IDEA, and TeamCity, that address these critical vulnerabilities. Administrators are strongly advised to prioritize upgrading Hub and YouTrack to the latest versions, enforce multi-factor authentication (MFA), and monitor direct database access. For TeamCity, credential rotation and review of build configuration histories are essential. On developer endpoints, updating IDEs, limiting the opening of untrusted projects, and reviewing plugin trust policies are critical mitigation steps. Security teams should also audit logs for anomalous administrative actions and reinforce role-based access controls to minimize the potential blast radius of future incidents.