Description
In JetBrains Hub before 2026.1 possible on sign-in account mismatch with non-SSO auth and 2FA disabled
Published: 2026-03-11
Score: 6.8 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Authentication Bypass / Account Takeover
Action: Patch Now
AI Analysis

Impact

JetBrains Hub allows a user to be authenticated as an unintended account when signing in with a non‑SSO authentication method while two‑factor authentication is disabled. This flaw, identified as a credential bypass, permits an attacker to access data or perform actions on behalf of another user. The vulnerability stems from improper enforcement of account matching conditions during the sign‑in workflow and is catalogued as CWE‑290.

Affected Systems

The flaw affects JetBrains Hub versions older than 2026.1. Any deployment of Hub before that release is susceptible, regardless of the specific minor revision. It applies to all installations that rely on non‑SSO authentication with 2FA disabled.

Risk and Exploitability

The CVSS base score of 6.8 places the vulnerability in a moderate risk range, while an EPSS score of less than 1% indicates a low likelihood of widespread exploitation at present. The vulnerability is not present in the CISA KEV catalog. Exploitability requires the attacker to initiate a sign‑in sequence with a non‑SSO method on an account that has 2FA turned off, making it a remote, credential‑based attack. The compromised accounts can then read or modify user data, potentially leading to business impact if sensitive information is accessed.

Generated by OpenCVE AI on April 16, 2026 at 03:01 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the JetBrains Hub 2026.1 update or later to replace affected authentication logic.
  • Enable two‑factor authentication for all Hub accounts to eliminate the flaw’s prerequisite.
  • Restrict or disable non‑SSO authentication methods until a patch is applied, or enforce SSO onboarding for all new users.

Generated by OpenCVE AI on April 16, 2026 at 03:01 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Thu, 16 Apr 2026 03:30:00 +0000

Type Values Removed Values Added
Title Authentication Bypass via Account Mismatch in JetBrains Hub

Thu, 02 Apr 2026 13:15:00 +0000

Type Values Removed Values Added
CPEs cpe:2.3:a:jetbrains:hub:*:*:*:*:*:*:*:*

Thu, 12 Mar 2026 10:15:00 +0000

Type Values Removed Values Added
First Time appeared Jetbrains
Jetbrains hub
Vendors & Products Jetbrains
Jetbrains hub

Wed, 11 Mar 2026 16:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Wed, 11 Mar 2026 15:15:00 +0000

Type Values Removed Values Added
Description In JetBrains Hub before 2026.1 possible on sign-in account mismatch with non-SSO auth and 2FA disabled
Weaknesses CWE-290
References
Metrics cvssV3_1

{'score': 6.8, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:N'}

Subscriptions

Jetbrains Hub
cve-icon MITRE

Status: PUBLISHED

Assigner: JetBrains

Published:

Updated: 2026-03-12T03:55:31.443Z

Reserved: 2026-03-11T14:42:57.649Z

Link: CVE-2026-32229

cve-icon Vulnrichment

Updated: 2026-03-11T15:40:32.893Z

cve-icon NVD

Status : Analyzed

Published: 2026-03-11T15:16:31.817

Modified: 2026-04-02T13:11:36.753

Link: CVE-2026-32229

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-16T03:15:22Z

Weaknesses