Description
In JetBrains GoLand before 2026.1.3 remote code execution was possible via untrusted project configuration
Published: 2026-06-19
Score: 7.1 High
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

An attacker can achieve arbitrary code execution in the user’s environment by supplying an untrusted project configuration file to JetBrains GoLand. The weakness exploitable is a file path manipulation flaw that allows loading of external resources without proper validation, leading to remote code execution. The design flaw corresponds to CWE-73, Path Traversal.

Affected Systems

The vulnerability impacts all versions of JetBrains GoLand earlier than 2026.1.3, regardless of platform. Users running older GoLand releases must verify that their installations are not below this version.

Risk and Exploitability

The CVSS score of 7.1 indicates high severity. No EPSS score is available, so exact exploitation likelihood is unknown, but the vulnerability is not listed in CISA’s KEV, implying it has not yet been widely exploited in the wild. The likely attack vector is a remote, client‑sourced configuration file that an attacker can place in a project directory, resulting in local code execution on the user's machine.

Generated by OpenCVE AI on June 19, 2026 at 13:21 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the latest JetBrains GoLand release (2026.1.3 or newer) where the path validation bug is fixed.
  • Review and restrict project configuration files so that only trusted sources can be loaded; disable automatic loading of external project configurations where possible.
  • Follow JetBrains security advisories and monitor their safety portal for updates or related advisories.
  • Verify that directories containing project configuration files are located in secure, non‑publicly reachable locations.

Generated by OpenCVE AI on June 19, 2026 at 13:21 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Fri, 19 Jun 2026 18:15:00 +0000

Type Values Removed Values Added
Title Remote Code Execution via Untrusted Project Configuration in JetBrains GoLand
First Time appeared Jetbrains
Jetbrains goland
Vendors & Products Jetbrains
Jetbrains goland

Fri, 19 Jun 2026 12:45:00 +0000

Type Values Removed Values Added
Description In JetBrains GoLand before 2026.1.3 remote code execution was possible via untrusted project configuration
Weaknesses CWE-73
References
Metrics cvssV3_1

{'score': 7.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L'}

Subscriptions

Jetbrains Goland
cve-icon MITRE

Status: PUBLISHED

Assigner: JetBrains

Published:

Updated: 2026-06-19T11:49:40.981Z

Reserved: 2026-06-11T13:00:42.886Z

Link: CVE-2026-53915

cve-icon Vulnrichment

No data.

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-19T14:30:04Z

Weaknesses
  • CWE-73

    External Control of File Name or Path