Description
In JetBrains IntelliJ IDEA before 2024.3.7.1,
2025.1.7.1,
2025.2.6.2,
2025.3.4.1,
2026.1.1 reading arbitrary local files was possible via built-in web server
Published: 2026-04-30
Score: 7.4 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The flaw enables an attacker to read arbitrary local files through JetBrains IntelliJ IDEA’s built‑in web server, which fails to validate file paths and serves content without proper restrictions; this allows disclosure of source code, configuration files, or other sensitive data, compromising confidentiality; the weakness is classified as CWE‑59.

Affected Systems

IntelliJ IDEA versions 2024.3.7.1, 2025.1.7.1, 2025.2.6.2, 2025.3.4.1, and 2026.1.1 are affected when the built‑in web server is active or exposed to a network; previous releases and later patched versions are not vulnerable.

Risk and Exploitability

The CVSS score of 7.4 signals a high‑severity flaw, yet the EPSS score is below 1%, indicating a low probability of exploitation. The vulnerability is not listed in CISA’s KEV catalog. Based on the description, it is inferred that the likely attack vector involves an attacker sending a crafted request to the built‑in web server after it is exposed to a network or when a user or attacker forces a local request that resolves to an arbitrary file path, which the IDE then serves as plain text. This scenario would mainly affect internal threat actors or individuals who can trick users into directing the IDE’s web server to an adversary‑controlled address, making it most relevant to local or insider threats.

Generated by OpenCVE AI on May 2, 2026 at 00:21 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply any available update to IntelliJ IDEA 2024.3.7.1 or newer, or to 2025.1.7.1, 2025.2.6.2, 2025.3.4.1, or 2026.1.1 where the fix is included.
  • If an immediate update is not possible, disable the built‑in web server by configuring the IDE settings to stop listening on a port or to "localhost only" and restrict network exposure.
  • Restrict network access to the built‑in web server by configuring firewall rules to block external connections, ensuring the IDE is only reachable from trusted local networks.

Generated by OpenCVE AI on May 2, 2026 at 00:21 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Tue, 05 May 2026 00:30:00 +0000

Type Values Removed Values Added
CPEs cpe:2.3:a:jetbrains:intellij_idea:2024.3.7.1:*:*:*:*:*:*:*
cpe:2.3:a:jetbrains:intellij_idea:2025.1.7.1:*:*:*:*:*:*:*
cpe:2.3:a:jetbrains:intellij_idea:2025.2.6.2:*:*:*:*:*:*:*
cpe:2.3:a:jetbrains:intellij_idea:2025.3.4.1:*:*:*:*:*:*:*
cpe:2.3:a:jetbrains:intellij_idea:2026.1.1:*:*:*:*:*:*:*

Sat, 02 May 2026 00:45:00 +0000

Type Values Removed Values Added
Title Arbitrary Local File Access via Built‑in Web Server in IntelliJ IDEA

Thu, 30 Apr 2026 14:15:00 +0000

Type Values Removed Values Added
First Time appeared Jetbrains
Jetbrains intellij Idea
Vendors & Products Jetbrains
Jetbrains intellij Idea
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Thu, 30 Apr 2026 11:45:00 +0000

Type Values Removed Values Added
Description In JetBrains IntelliJ IDEA before 2024.3.7.1, 2025.1.7.1, 2025.2.6.2, 2025.3.4.1, 2026.1.1 reading arbitrary local files was possible via built-in web server
Weaknesses CWE-59
References
Metrics cvssV3_1

{'score': 7.4, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:N/A:N'}

Subscriptions

Jetbrains Intellij Idea
cve-icon MITRE

Status: PUBLISHED

Assigner: JetBrains

Published:

Updated: 2026-04-30T13:05:06.370Z

Reserved: 2026-04-22T15:04:29.230Z

Link: CVE-2026-41882

cve-icon Vulnrichment

Updated: 2026-04-30T13:05:03.370Z

cve-icon NVD

Status : Analyzed

Published: 2026-04-30T12:16:24.207

Modified: 2026-05-05T00:24:51.107

Link: CVE-2026-41882

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-02T00:30:16Z

Weaknesses