HarborGuardharborguardDatabase
Back to search
CRITICALCVE-2026-50242Published Modified CNA JetBrains

CVE-2026-50242: In JetBrains Hub before 2026

In JetBrains Hub before 2026.1.13757, 2025.3.148033, 2025.2.148048, 2025.1.148120, 2024.3.148430, 2024.2.148429 authentication bypass via direct database access leading to administrative access was possible

Metrics

CVSS v3.1
10.0
Severity
CRITICAL
Fixed in
2026.1.13757, 2025.3.148033, 2025.2.148048, 2025.1.148120, 2024.3.148430, 2024.2.148429
Affected Products
1

Get notified

Email me when this CVE is updated: new fix versions, severity changes, or any record change.

HarborGuard Analysis

Synopsis

An authentication bypass vulnerability in JetBrains Hub allows a remote, unauthenticated attacker to gain administrative access by directly accessing the underlying database. The flaw is reachable over the network with no credentials and no user interaction required, making it trivially exploitable wherever Hub is network-accessible. Successful exploitation gives an attacker full administrative control over the Hub instance, enabling complete data disclosure, modification of all persisted data, and disruption of service. Patched-image rebuilds at the fixed versions are available on HarborGuard for environments running an affected version.

HarborGuard Coverage

Detection

Detection of CVE-2026-50242 is available across every HarborGuard environment; the CVE is ingested from upstream feeds within minutes of publication and matched against all customer images in connected registries and CI/CD pipelines, including custom-built images that bundle JetBrains Hub.

Available
Triage

HarborGuard scores this CVE at CVSS 10.0 (Critical) and surfaces it with that severity weighting inside each customer environment; per-environment compliance policy rules further prioritize and route the finding to the appropriate team inbox based on the organization's own thresholds.

Available
Patch

Patched-image rebuilds at the fixed Hub versions (2026.1.13757, 2025.3.148033, 2025.2.148048, 2025.1.148120, 2024.3.148430, and 2024.2.148429) are available on HarborGuard for environments running an affected version. For customers who opt into auto-remediation, HarborGuard performs the rebuild, runs a regression test suite, and opens a pull request against affected workloads automatically.

Available

Exploit Conditions

  • Network reachabilityRequired

    The attacker must reach the Hub service over the network; any internet-exposed or internally network-accessible Hub instance is within scope.

  • AuthenticationNot required

    No credentials of any kind are required; the bypass allows an unauthenticated attacker to gain administrative access directly.

  • Victim interactionNot required

    The attack is fully server-side and requires no action from any user or administrator.

  • Attack complexityDetail

    Exploit complexity is low, meaning the attack is reliable and requires no special conditions, race conditions, or environmental factors to succeed.

Blast Radius

  • A successful attacker gains full administrative control over the JetBrains Hub instance, reading all stored user credentials, tokens, and project access configurations.
  • The attacker can modify or delete all persisted data in Hub, including user accounts, group memberships, permissions, and integration settings across every connected JetBrains service.
  • The scope of impact extends beyond Hub itself (CVSS scope is Changed), meaning downstream JetBrains tools integrated with Hub, such as TeamCity or YouTrack, inherit the attacker's administrative privileges.
  • The attacker can crash or disable the Hub service entirely, cutting off authentication and access management for all integrated tooling in the affected organization.

How HarborGuard Handles This

Available on HarborGuard: detection for this Critical-severity authentication bypass is active across all connected environments the moment the CVE was published. For environments running any affected Hub version (all builds before 2026.1.13757, 2025.3.148033, 2025.2.148048, 2025.1.148120, 2024.3.148430, or 2024.2.148429), a patched-image rebuild at the appropriate fixed version is available. Where compliance policy permits auto-remediation, HarborGuard will rebuild the image at the patched version, execute a regression test run, and open a pull request against affected workloads; the median time from CVE publication to merged patch PR for Critical-severity issues is around 90 minutes for environments with auto-remediation enabled. For environments where auto-remediation is not enabled, HarborGuard surfaces the finding with full CVSS context so that operators can act immediately. Given the CVSS 10.0 score and zero-barrier exploitability, applying the upstream patch is strongly preferred over compensating controls; however, organizations that cannot patch immediately should consider restricting network access to Hub via firewall rules or network policy to limit exposure while a patched image is prepared.

See how HarborGuard automates this

Fix available

2026.1.13757, 2025.3.148033, 2025.2.148048, 2025.1.148120, 2024.3.148430, 2024.2.148429
Affected packages
  • JetBrains / Hub
    < 2026.1.13757, 2025.3.148033, 2025.2.148048, 2025.1.148120, 2024.3.148430, 2024.2.148429 (from 0)
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
References