Description
In JetBrains Hub before 2026.1.13757,
2025.3.148033,
2025.2.148048,
2025.1.148120,
2024.3.148430,
2024.2.148429 privilege escalation by attaching authentication details to accounts was possible
Published: 2026-06-19
Score: 9.6 Critical
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

JetBrains Hub versions prior to 2026.1.13757, 2025.3.148033, 2025.2.148048, 2025.1.148120, 2024.3.148430, and 2024.2.148429 allow an actor to elevate privileges by attaching authentication details to user accounts. This flaw enables an attacker to assume higher-level permissions and potentially gain full control of the Hub instance, presenting a severe threat to confidentiality, integrity, and availability.

Affected Systems

The affected product is JetBrains Hub from JetBrains. The vulnerability exists in the listed versions listed above. Users running any of these releases should verify their version and plan to upgrade.

Risk and Exploitability

The CVSS score of 9.6 marks this issue as critical. EPSS data is not available, and the vulnerability is not listed in the CISA KEV catalog. Based on the description, the likely attack vector involves an attacker with access to the account attachment functionality, possibly an authenticated user or an attacker who can submit authentication details. The vulnerability permits elevation of privileges without needing to compromise the underlying operating system, making it highly valuable for malicious actors.

Generated by OpenCVE AI on June 19, 2026 at 13:20 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update JetBrains Hub to version 2026.1.13757 or later using the official patch release from JetBrains Hub.
  • If an upgrade cannot be performed immediately, disable or restrict the feature that allows attaching authentication details to accounts until the patch is applied.
  • Monitor account creation and authentication attachment events for suspicious activity and enforce strict audit logging during the remediation period.

Generated by OpenCVE AI on June 19, 2026 at 13:20 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Fri, 19 Jun 2026 18:15:00 +0000

Type Values Removed Values Added
Title Privilege Escalation via Authentication Detail Attachment in JetBrains Hub
First Time appeared Jetbrains
Jetbrains hub
Vendors & Products Jetbrains
Jetbrains hub

Fri, 19 Jun 2026 12:45:00 +0000

Type Values Removed Values Added
Description In JetBrains Hub before 2026.1.13757, 2025.3.148033, 2025.2.148048, 2025.1.148120, 2024.3.148430, 2024.2.148429 privilege escalation by attaching authentication details to accounts was possible
Weaknesses CWE-915
References
Metrics cvssV3_1

{'score': 9.6, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H'}

Subscriptions

Jetbrains Hub
cve-icon MITRE

Status: PUBLISHED

Assigner: JetBrains

Published:

Updated: 2026-06-19T11:49:41.968Z

Reserved: 2026-06-19T10:56:21.696Z

Link: CVE-2026-56142

cve-icon Vulnrichment

No data.

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-19T14:30:04Z

Weaknesses
  • CWE-915

    Improperly Controlled Modification of Dynamically-Determined Object Attributes