HarborGuardharborguardDatabase
Back to search
CRITICALCVE-2026-56142Published Modified CNA JetBrains

CVE-2026-56142: In JetBrains Hub before 2026

In JetBrains Hub before 2026.1.13757, 2025.3.148033, 2025.2.148048, 2025.1.148120, 2024.3.148430, 2024.2.148429 privilege escalation by attaching authentication details to accounts was possible

Metrics

CVSS v3.1
9.6
Severity
CRITICAL
Fixed in
2026.1.13757, 2025.3.148033, 2025.2.148048, 2025.1.148120, 2024.3.148430, 2024.2.148429
Affected Products
1

Get notified

Email me when this CVE is updated: new fix versions, severity changes, or any record change.

HarborGuard Analysis

Synopsis

CVE-2026-56142 is a privilege escalation vulnerability in JetBrains Hub, the centralized authentication and team management service used across JetBrains developer tooling. The flaw is reachable over the network and requires only a low-privilege account, with no victim interaction needed; a CVSS v3.1 score of 9.6 Critical reflects its scope-changing impact. Successful exploitation lets an attacker attach arbitrary authentication details to accounts, escalating their privileges and gaining full control over confidentiality, integrity, and availability of affected systems. Patched-image rebuilds at the fix versions are available on HarborGuard for environments running an affected version.

HarborGuard Coverage

Detection

Detection is available across every HarborGuard environment: the CVE is ingested from upstream advisory feeds within minutes of publication and matched against customer images in connected registries and CI pipelines, including custom-built images that bundle JetBrains Hub. No manual configuration is required for matching to begin.

Available
Triage

HarborGuard scores this finding at CVSS 9.6 Critical and weights it against each environment's compliance policy to determine urgency and routing. Findings are dispatched to the appropriate team inbox within each customer organization based on policy-defined ownership rules.

Available
Patch

A patched-image rebuild pinned to one of the fix versions (2026.1.13757, 2025.3.148033, 2025.2.148048, 2025.1.148120, 2024.3.148430, or 2024.2.148429, depending on the tracked release branch) becomes available on HarborGuard once the upstream fix is confirmed. For customers who opt into auto-remediation, HarborGuard performs the rebuild, runs a regression test pass, and opens a PR against affected workloads automatically.

Available

Exploit Conditions

  • Network reachabilityRequired

    The vulnerability is exposed over the network, meaning an attacker must be able to reach the JetBrains Hub service via a network connection to exploit it.

  • AuthenticationRequired

    A low-privilege account is sufficient; no administrative credentials are needed, but the attacker must hold at least one valid user account on the Hub instance.

  • Victim interactionNot required

    No victim action such as clicking a link or opening a file is needed; the attacker can exploit the flaw entirely on their own initiative.

  • Attack complexityDetail

    Attack complexity is low, meaning the exploit is reliable and requires no special timing, race conditions, or environmental preconditions beyond network access and a valid low-privilege credential.

Blast Radius

  • Attacker escalates from a low-privilege account to elevated or administrative privileges by attaching arbitrary authentication details to targeted accounts.
  • With elevated access, the attacker reads sensitive data stored in Hub, including user credentials, tokens, and linked service integrations.
  • The attacker modifies account configurations, group memberships, and access-control settings across the Hub instance and any connected JetBrains tools.
  • The attacker disrupts Hub service availability, blocking developer access to authentication and team management functions across the affected organization.

How HarborGuard Handles This

Available on HarborGuard: detection for CVE-2026-56142 is active across all connected environments the moment the CVE is ingested, matching any image that includes an affected JetBrains Hub version. Because this is rated Critical at 9.6, it is prioritized at the head of triage queues; for environments with auto-remediation enabled, the median time from CVE publication to a merged patch PR for high and critical-severity issues is around 90 minutes. Where compliance policy permits, HarborGuard rebuilds the image at the appropriate fix version branch (2026.1.13757, 2025.3.148033, 2025.2.148048, 2025.1.148120, 2024.3.148430, or 2024.2.148429), runs regression tests, and opens a PR against affected workloads. For customers who have not enabled auto-remediation, the finding appears in the triage inbox with fix-version details and rebuild instructions so the team can act manually.

See how HarborGuard automates this

Fix available

2026.1.13757, 2025.3.148033, 2025.2.148048, 2025.1.148120, 2024.3.148430, 2024.2.148429
Affected packages
  • JetBrains / Hub
    < 2026.1.13757, 2025.3.148033, 2025.2.148048, 2025.1.148120, 2024.3.148430, 2024.2.148429 (from 0)
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H
References