JetBrains Hub CVSS 9.8: patch your self-hosted dev tools
JetBrains patched a CVSS 9.8 account-takeover flaw in Hub plus auth-bypass and RCE bugs across YouTrack, TeamCity, and IntelliJ IDEs. Self-hosted means you patch.
The identity layer under your dev tools is worth attacking, and this month someone found the crack. On July 2, 2026, JetBrains patched a cluster of critical vulnerabilities across its on-premise stack — Hub, YouTrack, TeamCity, and IntelliJ-based IDEs — headlined by an unauthenticated account-takeover flaw rated CVSS 9.8. If you self-host any of it, the fix exists but it isn't applied until someone runs the upgrade.
What actually happened
The worst of the batch, CVE-2026-56141, lives in JetBrains Hub — the central identity provider that YouTrack, TeamCity, and the rest authenticate against. Hub generated account-restore codes with a weak random-number generator, so an unauthenticated attacker could predict or brute-force a valid code and seize any account, including administrators. Two more Hub bugs round it out: CVE-2026-50242, an authentication bypass via direct database-level logic that also hits YouTrack, and CVE-2026-56142, a privilege-escalation flaw letting a low-privileged user attach authentication details and climb to admin.
The IDEs got hit too. Per reporting on the advisory, IntelliJ IDEA carried remote-code-execution bugs — template injection in the Copyright plugin (CVE-2026-49382) and command injection through filename completion (CVE-2026-49366). JetBrains fixed Hub in version 2026.1.13757 and backported to the LTS branches (2025.3, 2025.2, 2025.1, 2024.3, 2024.2). Cloud-hosted JetBrains customers were already covered. Self-managed instances are exposed until upgraded — and several of these flaws need no login and no user interaction.
Why it matters for your business
Compromise Hub and you don't get one account — you get the front door to your issue tracker, your CI server, and whatever secrets TeamCity holds to deploy your code. That's the shape of these identity bugs: they don't break a feature, they break who gets to be trusted. A predictable restore code sounds minor until it's an attacker standing in your build pipeline as an admin.
This is the recurring tax of self-hosting, and JetBrains sets the due date, not you. Running your own YouTrack or TeamCity is often the right call — you keep your tickets, your pipeline, and your keys off someone else's tenancy. But that ownership is a standing obligation. The failure mode is quiet: an on-prem Hub two versions behind because the person who used to patch it moved teams, and now nobody owns the cadence. That's how a fixed, publicly documented bug becomes your breach. If you self-host anything that authenticates the rest of your stack, patching can't be "whoever notices" — it has to be somebody's named job, on a schedule.
Key takeaways
- JetBrains patched critical flaws on July 2, 2026 across Hub, YouTrack, TeamCity, and IntelliJ IDEs — fix Hub versions include 2026.1.13757 plus LTS backports
- CVE-2026-56141 (CVSS 9.8) lets an unauthenticated attacker take over any Hub account, admins included, via predictable restore codes
- Hub is the identity provider for the rest of the stack — an ATO there reaches your CI, deploy keys, and issue tracker
- Cloud-hosted instances are already patched; self-managed installs are exposed until someone runs the upgrade
Self-hosting more dev tooling than you can keep patched? We build and run the internal systems small teams depend on — with a patch cadence that's owned and checklisted, not assumed. See what we do or get a self-hosted stack review.
Sources: GBHackers — JetBrains Patches Critical Hub Authentication Bypass and Account Takeover Vulnerabilities, Cybersecurity News — Critical JetBrains Vulnerabilities Enable Authentication Bypass and Code Execution.
- #jetbrains
- #cve
- #self-hosted
- #devsecops
- #patching
Tommy Rush — Founder, Rush Commerce
Operator turned builder. 15+ years running operations — now shipping the systems businesses run on. More
Get The Rush Report weekly — one email, zero fluff.
Keep reading
Ubiquiti UniFi CVSS 10: patch the box that runs your office
Ubiquiti's UniFi Connect flaw CVE-2026-50746 (CVSS 10.0) lets an unauthenticated attacker on your network run commands on the host. Patch to 3.4.20 now.
Read itJoomla page builders hit CVSS 10.0: patch your CMS now
Two Joomla page-builder extensions have unauthenticated CVSS 10.0 file-upload flaws that are already dropping web shells and hidden admin accounts. Your marketing site is attack surface.
Read it