Description
In JetBrains Hub before 2026.1.13757,
2025.3.148033,
2025.2.148048,
2025.1.148120,
2024.3.148430,
2024.2.148429 authentication bypass via direct database access leading to administrative access was possible
Published: 2026-06-19
Score: 10 Critical
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability allows an attacker who can send queries directly to the JetBrains Hub database to bypass the normal authentication process. This defect, classified as CWE‑306, permits the attacker to assume any user identity, including that of an administrator, without needing valid credentials. The result is full control over the Hub instance, enabling configuration changes, data tampering, and potential lateral movement within an organization.

Affected Systems

JetBrains Hub versions prior to 2026.1.13757, 2025.3.148033, 2025.2.148048, 2025.1.148120, 2024.3.148430, and 2024.2.148429 are affected. All releases below these version numbers have the authentication bypass flaw.

Risk and Exploitability

The CVSS score of 10 indicates critical severity, although the EPSS score is currently unavailable and the flaw is not listed in the CISA KEV catalog. Based on the description, the likely attack vector is an attacker with the ability to query the database directly—either through exposed database ports, local system access, or compromised application credentials. If this access can be achieved, the attacker can immediately gain administrative privileges within the Hub container. The high CVSS score indicates that exploitation would have complete confidentiality, integrity, and availability impact on the affected environment.

Generated by OpenCVE AI on June 19, 2026 at 13:20 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the latest JetBrains Hub patch or upgrade to a version newer than 2026.1.13757
  • Restrict database network access to only trusted internal hosts and limit inbound ports
  • Enforce strong authentication for all services having database connectivity, ensuring that only authorized application accounts can query the Hub database
  • Monitor and audit database connections for anomalous activity

Generated by OpenCVE AI on June 19, 2026 at 13:20 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Fri, 19 Jun 2026 18:15:00 +0000

Type Values Removed Values Added
Title Authentication Bypass via Direct Database Access Granting Administrative Access
First Time appeared Jetbrains
Jetbrains hub
Vendors & Products Jetbrains
Jetbrains hub

Fri, 19 Jun 2026 12:45:00 +0000

Type Values Removed Values Added
Description In JetBrains Hub before 2026.1.13757, 2025.3.148033, 2025.2.148048, 2025.1.148120, 2024.3.148430, 2024.2.148429 authentication bypass via direct database access leading to administrative access was possible
Weaknesses CWE-306
References
Metrics cvssV3_1

{'score': 10, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H'}

Subscriptions

Jetbrains Hub
cve-icon MITRE

Status: PUBLISHED

Assigner: JetBrains

Published:

Updated: 2026-06-19T11:49:42.383Z

Reserved: 2026-06-04T13:03:06.750Z

Link: CVE-2026-50242

cve-icon Vulnrichment

No data.

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-19T15:00:05Z

Weaknesses
  • CWE-306

    Missing Authentication for Critical Function