JetBrains Patches Six Vulnerabilities Across TeamCity, YouTrack, and IntelliJ IDEA
JetBrains has released patches for six vulnerabilities impacting its development tools, including critical flaws in IntelliJ IDEA and TeamCity.

JetBrains has released security updates to address six vulnerabilities across its popular software development and project management products: IntelliJ IDEA, TeamCity, and YouTrack. The patches aim to mitigate risks ranging from code execution and arbitrary file access to cross-site scripting and unauthorized pipeline modifications.
The most critical of the disclosed flaws is CVE-2026-59792, a path traversal vulnerability in IntelliJ IDEA. This flaw, reported by Antoni Tremblay, could allow attackers to exploit project workspace ID processing to gain unauthorized access and potentially execute code on affected systems. JetBrains has resolved this issue in IntelliJ IDEA versions 2026.1.4 and 2026.2.
TeamCity, JetBrains' continuous integration and continuous delivery (CI/CD) server, is particularly affected, with four high-severity vulnerabilities patched. CVE-2026-59793, a CWE-73 flaw in the Perforce VCS integration, could permit arbitrary file access. Additionally, two stored cross-site scripting (XSS) vulnerabilities, CVE-2026-59794 and CVE-2026-59795, could enable malicious JavaScript execution within users' browsers, potentially leading to session theft or interface manipulation. The first XSS vulnerability stems from agent-reported data displayed on the cloud profile page, while the second can be triggered via unauthenticated agent registration. Finally, CVE-2026-59796, a CWE-862 vulnerability, allows for unauthorized pipeline modifications due to improper authorization checks, posing a risk to build integrity and the software supply chain.
These TeamCity vulnerabilities were addressed in version 2026.1.2. The arbitrary file access flaw was reported by @maple3142, and the pipeline modification issue was reported by Alwion.
YouTrack, JetBrains' issue tracking system, also received a patch for a low-severity CSS injection vulnerability, CVE-2026-59791. This flaw, reported by Rohit Prasanth (h3ri0s), arises from the rendering of Mermaid diagrams and, while not directly executing scripts, can alter page presentation, potentially facilitating phishing or deceptive attacks. This has been fixed in YouTrack version 2026.2.17012.
Organizations utilizing IntelliJ IDEA, TeamCity, or YouTrack are strongly advised to update to the latest patched versions immediately. Administrators should also review TeamCity agent registration settings, audit recent pipeline changes, and examine access logs for any suspicious repository or file-access activity to ensure their environments are secure.
The swift patching of these vulnerabilities underscores the ongoing importance of timely software updates in maintaining robust security postures against evolving threats. Developers and project managers rely heavily on these tools, making their security paramount to the integrity of the software development lifecycle.