Description
In JetBrains Kotlin before 2.4.20 code execution was possible via unsafe deserialization in the build cache metadata
Published: 2026-06-26
Score: 6.7 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability arises from deserializing untrusted build cache metadata in JetBrains Kotlin version 2.4.20 and earlier. This can lead to arbitrary code execution. The weakness is a deserialization flaw (CWE-502). Attackers that can introduce malicious metadata into the build cache can trigger code execution during normal build operations.

Affected Systems

JetBrains Kotlin binaries before version 2.4.20 are affected. Users of the Kotlin compiler and tools that rely on the build cache—such as integrated development environments or continuous integration pipelines—may be susceptible. Version 2.4.20 and later contain the fix.

Risk and Exploitability

The CVSS score of 6.7 indicates a moderate severity. Because the EPSS score is not available and the vulnerability is not listed in the CISA KEV catalog, there is no known large-scale exploitation activity. However, the vulnerability requires the ability to place malicious metadata in the cache; if the build environment is shared or the cache is network‑accessible, this could be an attack vector. Users should consider the risk as moderate and address it promptly.

Generated by OpenCVE AI on June 26, 2026 at 14:36 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Kotlin to version 2.4.20 or later
  • Limit access to the build cache to trusted users and processes—restrict write permissions and disable network exposure if possible
  • Monitor build logs for unexpected deserialization errors and verify that the cache path is not writable by untrusted components

Generated by OpenCVE AI on June 26, 2026 at 14:36 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Fri, 26 Jun 2026 17:00:00 +0000

Type Values Removed Values Added
First Time appeared Jetbrains
Jetbrains kotlin
Vendors & Products Jetbrains
Jetbrains kotlin

Fri, 26 Jun 2026 15:00:00 +0000

Type Values Removed Values Added
Title Unsafe Deserialization in Kotlin Build Cache Enables Code Execution

Fri, 26 Jun 2026 14:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Fri, 26 Jun 2026 13:30:00 +0000

Type Values Removed Values Added
Description In JetBrains Kotlin before 2.4.20 code execution was possible via unsafe deserialization in the build cache metadata
Weaknesses CWE-502
References
Metrics cvssV3_1

{'score': 6.7, 'vector': 'CVSS:3.1/AV:L/AC:H/PR:H/UI:N/S:C/C:H/I:L/A:L'}

Subscriptions

Jetbrains Kotlin
cve-icon MITRE

Status: PUBLISHED

Assigner: JetBrains

Published:

Updated: 2026-06-27T03:55:26.966Z

Reserved: 2026-06-11T13:00:42.498Z

Link: CVE-2026-53914

cve-icon Vulnrichment

Updated: 2026-06-26T13:26:03.768Z

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-26T16:45:03Z

Weaknesses
  • CWE-502

    Deserialization of Untrusted Data