Skip to content
Rush Commerce
Software & Dev3 min read

JetBrains Hub CVSS 9.8: patch your self-hosted dev tools

JetBrains patched a CVSS 9.8 account-takeover flaw in Hub plus auth-bypass and RCE bugs across YouTrack, TeamCity, and IntelliJ IDEs. Self-hosted means you patch.

The identity layer under your dev tools is worth attacking, and this month someone found the crack. On July 2, 2026, JetBrains patched a cluster of critical vulnerabilities across its on-premise stack — Hub, YouTrack, TeamCity, and IntelliJ-based IDEs — headlined by an unauthenticated account-takeover flaw rated CVSS 9.8. If you self-host any of it, the fix exists but it isn't applied until someone runs the upgrade.

What actually happened

The worst of the batch, CVE-2026-56141, lives in JetBrains Hub — the central identity provider that YouTrack, TeamCity, and the rest authenticate against. Hub generated account-restore codes with a weak random-number generator, so an unauthenticated attacker could predict or brute-force a valid code and seize any account, including administrators. Two more Hub bugs round it out: CVE-2026-50242, an authentication bypass via direct database-level logic that also hits YouTrack, and CVE-2026-56142, a privilege-escalation flaw letting a low-privileged user attach authentication details and climb to admin.

The IDEs got hit too. Per reporting on the advisory, IntelliJ IDEA carried remote-code-execution bugs — template injection in the Copyright plugin (CVE-2026-49382) and command injection through filename completion (CVE-2026-49366). JetBrains fixed Hub in version 2026.1.13757 and backported to the LTS branches (2025.3, 2025.2, 2025.1, 2024.3, 2024.2). Cloud-hosted JetBrains customers were already covered. Self-managed instances are exposed until upgraded — and several of these flaws need no login and no user interaction.

Why it matters for your business

Compromise Hub and you don't get one account — you get the front door to your issue tracker, your CI server, and whatever secrets TeamCity holds to deploy your code. That's the shape of these identity bugs: they don't break a feature, they break who gets to be trusted. A predictable restore code sounds minor until it's an attacker standing in your build pipeline as an admin.

This is the recurring tax of self-hosting, and JetBrains sets the due date, not you. Running your own YouTrack or TeamCity is often the right call — you keep your tickets, your pipeline, and your keys off someone else's tenancy. But that ownership is a standing obligation. The failure mode is quiet: an on-prem Hub two versions behind because the person who used to patch it moved teams, and now nobody owns the cadence. That's how a fixed, publicly documented bug becomes your breach. If you self-host anything that authenticates the rest of your stack, patching can't be "whoever notices" — it has to be somebody's named job, on a schedule.

Key takeaways

  • JetBrains patched critical flaws on July 2, 2026 across Hub, YouTrack, TeamCity, and IntelliJ IDEs — fix Hub versions include 2026.1.13757 plus LTS backports
  • CVE-2026-56141 (CVSS 9.8) lets an unauthenticated attacker take over any Hub account, admins included, via predictable restore codes
  • Hub is the identity provider for the rest of the stack — an ATO there reaches your CI, deploy keys, and issue tracker
  • Cloud-hosted instances are already patched; self-managed installs are exposed until someone runs the upgrade

Self-hosting more dev tooling than you can keep patched? We build and run the internal systems small teams depend on — with a patch cadence that's owned and checklisted, not assumed. See what we do or get a self-hosted stack review.

Sources: GBHackers — JetBrains Patches Critical Hub Authentication Bypass and Account Takeover Vulnerabilities, Cybersecurity News — Critical JetBrains Vulnerabilities Enable Authentication Bypass and Code Execution.

  • #jetbrains
  • #cve
  • #self-hosted
  • #devsecops
  • #patching
TR

Tommy Rush — Founder, Rush Commerce

Operator turned builder. 15+ years running operations — now shipping the systems businesses run on. More

Get The Rush Report weekly — one email, zero fluff.