HarborGuardharborguardDatabase
Back to search
CRITICALCVE-2026-56141Published Modified CNA JetBrains

CVE-2026-56141: In JetBrains Hub before 2026

In JetBrains Hub before 2026.1.13757, 2025.3.148033, 2025.2.148048, 2025.1.148120, 2024.3.148430, 2024.2.148429 account takeover via predictable restore codes was possible

Metrics

CVSS v3.1
9.8
Severity
CRITICAL
Fixed in
2026.1.13757, 2025.3.148033, 2025.2.148048, 2025.1.148120, 2024.3.148430, 2024.2.148429
Affected Products
1

Get notified

Email me when this CVE is updated: new fix versions, severity changes, or any record change.

HarborGuard Analysis

Synopsis

An authentication bypass vulnerability in JetBrains Hub allows a remote, unauthenticated attacker to take over user accounts by exploiting predictable account restore codes. The service is reachable over the network and requires no credentials or user interaction to exploit. Successful exploitation gives the attacker full control of the targeted account, enabling them to read, modify, or delete anything that account can access. Patched-image rebuilds at the fix versions are available on HarborGuard for environments running an affected version.

HarborGuard Coverage

Detection

Detection of CVE-2026-56141 is available across every HarborGuard environment; the CVE is ingested from upstream feeds within minutes of publication and matched against all customer images, including custom-built images that bundle JetBrains Hub. Any image whose Hub version falls below the relevant fix version for its release line is flagged immediately.

Available
Triage

HarborGuard scores this CVE at CVSS 9.8 Critical and surfaces it at the top of each affected environment's vulnerability queue. Per-environment compliance policy weighting is applied automatically, and the finding is routed to the inbox or ticket queue configured by each customer organization.

Available
Patch

A patched-image rebuild at each fix version (2026.1.13757, 2025.3.148033, 2025.2.148048, 2025.1.148120, 2024.3.148430, or 2024.2.148429, matched to the customer's active release line) becomes available on HarborGuard once the fix versions are indexed. For customers with auto-remediation enabled, HarborGuard rebuilds the image, runs a regression test suite, and opens a pull request against affected workloads automatically.

Available

Exploit Conditions

  • Network reachabilityRequired

    The attacker must be able to reach the JetBrains Hub service over the network; any internet-exposed or internally routable Hub instance is within scope.

  • AuthenticationNot required

    No credentials are needed; the restore-code flow is accessible to unauthenticated users by design, and the predictability flaw is exploitable before any login.

  • Victim interactionNot required

    The attacker operates entirely independently; no user needs to click a link, open a file, or take any action for exploitation to succeed.

  • Attack complexityDetail

    Attack complexity is low, meaning the exploit is reliable and imposes no special preconditions such as race conditions or specific memory layout requirements.

Blast Radius

  • The attacker gains full control of the targeted Hub account, reading all associated project data, tokens, and credentials stored within it.
  • The attacker can modify or delete repository access rules, service integrations, and any other settings the compromised account governs.
  • If the compromised account holds administrative privileges, the attacker can pivot to control other user accounts and system-wide Hub configuration.
  • Account takeover exposes any connected JetBrains toolchain services (such as YouTrack or TeamCity instances) that trust Hub for authentication.

How HarborGuard Handles This

Available on HarborGuard: images containing JetBrains Hub at a vulnerable version are automatically identified and a rebuilt image pinned to the appropriate fix version is made available for each active release line. For customers with auto-remediation enabled, HarborGuard rebuilds the image, executes regression checks, and opens a pull request against affected workloads; median time from CVE publication to merged patch PR for critical-severity issues is around 90 minutes in environments with auto-remediation enabled. Where compliance policy requires manual approval, the rebuilt image and a remediation ticket are queued for reviewer action immediately. Given the critical severity and unauthenticated network reachability of this vulnerability, customers who have not yet enabled auto-remediation should treat this as a priority manual upgrade. Until patched images are deployed, consider isolating Hub instances behind network policy rules that restrict inbound access to known source ranges and disabling public-facing account restore flows at the load-balancer or reverse-proxy layer if operationally feasible.

See how HarborGuard automates this

Fix available

2026.1.13757, 2025.3.148033, 2025.2.148048, 2025.1.148120, 2024.3.148430, 2024.2.148429
Affected packages
  • JetBrains / Hub
    < 2026.1.13757, 2025.3.148033, 2025.2.148048, 2025.1.148120, 2024.3.148430, 2024.2.148429 (from 0)
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
References