Description
In JetBrains Hub before 2026.1.13757,
2025.3.148033,
2025.2.148048,
2025.1.148120,
2024.3.148430,
2024.2.148429 account takeover via predictable restore codes was possible
Published: 2026-06-19
Score: 9.8 Critical
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

JetBrains Hub in versions prior to 2026.1.13757, 2025.3.148033, 2025.2.148048, 2025.1.148120, 2024.3.148430, and 2024.2.148429 generates password‑recovery restore codes that are predictable due to insufficient randomness. An attacker who can observe or guess the code can bypass normal account recovery procedures and assume control of the victim account, compromising confidentiality, integrity, and availability of user data. The weakness corresponds to CWE‑338, identifying time‑dependent prediction vulnerabilities.

Affected Systems

The affected product is JetBrains Hub. Vulnerable versions include 2026.1.13757, 2025.3.148033, 2025.2.148048, 2025.1.148120, 2024.3.148430, and 2024.2.148429. Versions newer than these are not known to be affected.

Risk and Exploitability

The vulnerability receives a CVSS score of 9.8, indicating a critical severity. EPSS is not available, and the vulnerability is not listed in CISA KEV, which limits known exploitation evidence. The likely attack vector is exploiting the restore‑code password recovery flow: an attacker must trigger or observe a recovery request and then either directly guess or compute the predictable code. If successful, the attacker gains full ownership of the target account.

Generated by OpenCVE AI on June 19, 2026 at 14:20 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade JetBrains Hub to version 2026.1.13757 or later to eliminate the predictable restore code generation flaw
  • If an upgrade cannot be applied immediately, enforce multi‑factor authentication and consider disabling or limiting the password‑recovery restore‑code workflow until the patch is applied
  • Implement rate limiting on password‑reset or restore‑code endpoints to reduce the success of brute‑force or guess attempts

Generated by OpenCVE AI on June 19, 2026 at 14:20 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Fri, 19 Jun 2026 18:15:00 +0000

Type Values Removed Values Added
Title Predictable Restore Codes Allow Account Takeover in JetBrains Hub
First Time appeared Jetbrains
Jetbrains hub
Vendors & Products Jetbrains
Jetbrains hub

Fri, 19 Jun 2026 12:45:00 +0000

Type Values Removed Values Added
Description In JetBrains Hub before 2026.1.13757, 2025.3.148033, 2025.2.148048, 2025.1.148120, 2024.3.148430, 2024.2.148429 account takeover via predictable restore codes was possible
Weaknesses CWE-338
References
Metrics cvssV3_1

{'score': 9.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H'}

Subscriptions

Jetbrains Hub
cve-icon MITRE

Status: PUBLISHED

Assigner: JetBrains

Published:

Updated: 2026-06-19T11:49:41.463Z

Reserved: 2026-06-19T10:56:21.387Z

Link: CVE-2026-56141

cve-icon Vulnrichment

No data.

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-19T15:30:16Z

Weaknesses
  • CWE-338

    Use of Cryptographically Weak Pseudo-Random Number Generator (PRNG)