HarborGuard / CVE
Back to search
HIGHCVE-2026-49366Published Modified CNA JetBrains

CVE-2026-49366: In JetBrains IntelliJ IDEA before 2026

In JetBrains IntelliJ IDEA before 2026.1.1 command injection was possible via filename completion

HarborGuard Analysis

HarborGuard analysis

Synopsis

A command injection in JetBrains IntelliJ IDEA lets an attacker run arbitrary commands when a developer triggers filename completion against attacker-crafted input. Exploitation is local and requires the developer to interact with the malicious file or path, but needs no prior authentication; a successful attack runs code with the developer's privileges, giving full read, write, and disruption of anything that user can touch. A patched-image rebuild at 2026.1.1 is available on HarborGuard for affected environments.

HarborGuard Coverage

Detection

Detection is available across every HarborGuard environment, with the CVE ingested from upstream feeds within minutes of publication and matched against IntelliJ IDEA installations in customer registries and CI pipelines. Coverage extends to custom-built images that bundle the IDE for build agents or developer containers.

Available
Triage

Triage is available with the CVSS 7.8 HIGH score applied and re-weighted against each customer's compliance policy, so environments that treat developer-workstation code execution as critical see it escalated accordingly. Findings are routed to the appropriate inbox inside each customer org based on image ownership.

Available
Patch

A patched-image rebuild at 2026.1.1 is available on HarborGuard for environments running an affected version. For customers who opt into auto-remediation, the rebuild is generated, a regression-test run is executed, and a PR is opened against the workloads pinned to the vulnerable version.

Available

Exploit Conditions

  • Network reachabilityNot required

    The attack vector is local; the attacker needs an existing shell, process, or crafted file on the host where IntelliJ IDEA runs.

  • AuthenticationNot required

    No prior authentication to IntelliJ IDEA is required to deliver the malicious filename.

  • Victim interactionRequired

    A developer must trigger filename completion against the attacker-controlled path for the injection to fire.

  • Attack complexityDetail

    Attack complexity is low: the exploit is reliable once the victim invokes completion, with no race or environmental conditions to satisfy.

Blast Radius

  • Runs arbitrary commands with the developer's user privileges on the workstation or build agent.
  • Reads source code, SSH keys, cloud credentials, and any other files the developer account can access.
  • Modifies source trees, commits, and local artifacts, enabling supply-chain tampering through the developer's identity.
  • Can disrupt or terminate the IDE and other processes owned by the user.

How HarborGuard Handles This

Available on HarborGuard: a patched-image rebuild at IntelliJ IDEA 2026.1.1 for any environment still pinned to an affected version. For customers with auto-remediation enabled, the rebuild is produced, regression tests are run, and a PR is opened against affected workloads automatically; median time from CVE publication to merged patch PR for high-severity issues is around 90 minutes in those environments. Where auto-remediation is not enabled, the finding is surfaced in the routed inbox with the fix version and upgrade path attached so the owning team can ship the bump on their own cadence.

See how HarborGuard automates this

Metrics

CVSS v3.1
7.8
Severity
HIGH
Fixed in
2026.1.1
Affected Products
1

Fix available

2026.1.1
Affected packages
  • JetBrains / IntelliJ IDEA
    < 2026.1.1 (from 0)
CVSS Vector
CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
References