In JetBrains Hub versions earlier than 2025.3.119807, an authentication bypass flaw permitted any authenticated user to execute administrative functions without proper credential verification. This missing authentication weakness (CWE‑306) effectively lets an attacker gain unauthorized administrative privileges, compromising the integrity of the system. The flaw can lead to modification or deletion of user accounts, configuration data, and potentially access to sensitive information stored within Hub.

The vulnerability affects JetBrains Hub, a collaboration and project management platform. Versions released before 2025.3.119807 are vulnerable. Administrators should check the product version and immediately apply the update once available. No other vendors or product lines are impacted according to the CNA.

With a CVSS score of 9.1 this is a critical vulnerability, yet the EPSS score is less than 1%, indicating currently very low exploitation probability. The flaw is not listed in CISA’s KEV catalog. Attackers could exploit the bypass remotely by sending specially crafted requests to the Hub API or web interface, requiring only an active session or minimal authentication. Based on the description, the attack vector is inferred to involve authenticated users with access to the Hub, but the precise exploit steps are not explicitly detailed. Due to the high severity, organizations should treat this as an urgent risk that can lead to full administrative control over the Hub instance.