Description
In JetBrains IntelliJ IDEA before 2026.1.1 command injection was possible via filename completion
Published: 2026-05-29
Score: 7.8 High
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

JetBrains IntelliJ IDEA versions prior to 2026.1.1 allow command injection through the filename completion feature. This flaw permits an attacker to execute arbitrary shell commands on the host where the IDE runs, compromising confidentiality, integrity, and availability across user sessions.

Affected Systems

The vulnerability affects JetBrains IntelliJ IDEA installations running any version earlier than 2026.1.1. Users of the community or professional editions using the default file completion mechanism are within scope. No specific operating system restrictions were stated in the data.

Risk and Exploitability

The flaw carries a CVSS score of 7.8, indicating high severity. No EPSS value is available, so the likelihood of exploitation cannot be quantified. It is not listed in the CISA KEV catalog. Attackers could target the IDE from a local machine with sufficient privileges, possibly leveraging the feature in scripts or automated build processes. The vulnerability has no network exposure unless the IDE is exposed, so local compromise remains the primary threat vector.

Generated by OpenCVE AI on May 29, 2026 at 19:41 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade to IntelliJ IDEA 2026.1.1 or later to remove the vulnerable filename completion logic.
  • As a temporary mitigating control, disable or restrict the file completion feature for users who cannot immediately apply a patch.
  • Restrict the IDE’s execution context so that it runs under least‑privilege accounts, minimizing the impact if an attacker exploits the command injection.

Generated by OpenCVE AI on May 29, 2026 at 19:41 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Fri, 29 May 2026 20:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Fri, 29 May 2026 20:00:00 +0000

Type Values Removed Values Added
Title Command Injection via Filename Completion in JetBrains IntelliJ IDEA

Fri, 29 May 2026 19:45:00 +0000

Type Values Removed Values Added
First Time appeared Jetbrains
Jetbrains intellij Idea
Vendors & Products Jetbrains
Jetbrains intellij Idea

Fri, 29 May 2026 18:30:00 +0000

Type Values Removed Values Added
Description In JetBrains IntelliJ IDEA before 2026.1.1 command injection was possible via filename completion
Weaknesses CWE-78
References
Metrics cvssV3_1

{'score': 7.8, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H'}

Subscriptions

Jetbrains Intellij Idea
cve-icon MITRE

Status: PUBLISHED

Assigner: JetBrains

Published:

Updated: 2026-05-30T03:57:38.324Z

Reserved: 2026-05-29T18:07:52.387Z

Link: CVE-2026-49366

cve-icon Vulnrichment

Updated: 2026-05-29T18:31:46.180Z

cve-icon NVD

Status : Awaiting Analysis

Published: 2026-05-29T19:16:26.313

Modified: 2026-05-29T20:11:15.977

Link: CVE-2026-49366

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-29T19:45:06Z

Weaknesses