JetBrains Hub: Three Auth Flaws Including Bypass and Account Takeover Disclosed Together with GoLand RCE Bug
Key findings • CVE-2026-50242 allows authentication bypass via direct database access, leading to full admin control • CVE-2026-56141 enables account takeover through predictable restore code…
Key findings
- CVE-2026-50242 allows authentication bypass via direct database access, leading to full admin control
- CVE-2026-56141 enables account takeover through predictable restore codes
- CVE-2026-56142 is a privilege escalation bug that lets attackers attach auth details to accounts
- CVE-2026-53915 is a remote code execution flaw in GoLand via untrusted project configs
- All Hub fixes are backported to versions as old as 2024.2; GoLand patched in 2026.1.3
JetBrains Hub, the company's self-hosted team collaboration platform, received a coordinated security update on June 19, 2026, addressing three authentication-related vulnerabilities that could allow attackers to fully compromise administrative accounts. The same advisory cycle also patched a separate remote code execution flaw in JetBrains GoLand, the company's Go IDE.
Authentication Bypass via Direct Database Access
The most severe of the Hub flaws is CVE-2026-50242, an authentication bypass that can be exploited by an attacker who already has direct database access. By manipulating database records, the attacker can escalate that foothold into full administrative access to the Hub instance. JetBrains rates this as a critical-severity issue, as it effectively neutralizes the authentication layer for anyone who can reach the underlying database.
Account Takeover via Predictable Restore Codes
CVE-2026-56141 describes a separate attack path: account takeover via predictable restore codes. Hub's account recovery mechanism generated codes that could be guessed or brute-forced, allowing an attacker to seize control of any user's account — including administrators — without needing credentials or database access. This vulnerability is particularly dangerous because it can be triggered remotely through the normal web interface.
Privilege Escalation by Attaching Authentication Details
The third Hub vulnerability, CVE-2026-56142, is a privilege escalation bug that lets an attacker attach authentication details (such as OAuth tokens or session credentials) to accounts they should not control. Combined with the other flaws, this could be used to move laterally across a Hub organization after an initial compromise.
Remote Code Execution in GoLand
Separately, JetBrains patched CVE-2026-53915 in GoLand, a remote code execution vulnerability triggered by untrusted project configuration files. If a developer opens a malicious project — for example, one cloned from a compromised repository — GoLand could execute arbitrary code on the developer's machine. This is the kind of supply-chain attack vector that has been increasingly targeted in the wild.
Patch Status and Mitigations
All four vulnerabilities are fixed in the following versions:
- **Hub**: 2026.1.13757, 2025.3.148033, 2025.2.148048, 2025.1.148120, 2024.3.148430, 2024.2.148429
- **GoLand**: 2026.1.3
JetBrains recommends that all self-hosted Hub administrators update immediately, as the authentication bypass and account takeover bugs can be chained for full compromise. GoLand users should update to the latest 2026.1.x build and avoid opening projects from untrusted sources until patched.
Why This Batch Matters
For organizations running JetBrains Hub as their central development hub, the three authentication CVEs represent a serious risk: an attacker who gains any initial access — even read-only database access — can pivot to full administrative control. The GoLand RCE, meanwhile, highlights the growing attack surface in IDE project files, a vector that security teams should monitor closely.