JetBrains Patches Six Vulnerabilities in IntelliJ IDEA, TeamCity and YouTrack
JetBrains has released security updates for six vulnerabilities affecting IntelliJ IDEA, TeamCity and YouTrack. The flaws include a critical IntelliJ IDEA path traversal issue, four high-severity TeamCity weaknesses and a low-severity YouTrack CSS injection bug.
The most serious vulnerability, CVE-2026-59792, could allow code execution when IntelliJ IDEA processes a malicious project workspace identifier. JetBrains assigned it a CVSS score of 9.6 and fixed it in IntelliJ IDEA 2026.1.4 and 2026.2.
Access content across the globe at the highest speed rate.
70% of our readers choose Private Internet Access
70% of our readers choose ExpressVPN
Browse the web from multiple devices with industry-standard security protocols.
Faster dedicated servers for specific actions (currently at summer discounts)
The JetBrains fixed security issues advisory also lists patches for arbitrary file access, stored cross-site scripting and missing authorization in TeamCity. Administrators should update TeamCity to 2026.1.2 and YouTrack to 2026.2.17012.
JetBrains Vulnerabilities at a Glance
| CVE | Product | JetBrains severity | Issue | Fixed version |
|---|---|---|---|---|
| CVE-2026-59792 | IntelliJ IDEA | Critical, 9.6 | Code execution through path traversal | 2026.1.4 and 2026.2 |
| CVE-2026-59793 | TeamCity | High, 8.8 | Arbitrary file access through Perforce VCS integration | 2026.1.2 |
| CVE-2026-59794 | TeamCity | High, 7.3 | Stored XSS through agent-reported cloud profile data | 2026.1.2 |
| CVE-2026-59795 | TeamCity | High, 8.1 | Stored XSS through unauthenticated agent registration | 2026.1.2 |
| CVE-2026-59796 | TeamCity | High, 8.1 | Pipeline modification through missing authorization | 2026.1.2 |
| CVE-2026-59791 | YouTrack | Low, 3.5 | CSS injection through Mermaid diagram rendering | 2026.2.17012 |
Critical IntelliJ IDEA Flaw Could Enable Code Execution
CVE-2026-59792 affects the handling of project workspace identifiers in IntelliJ IDEA. JetBrains classified the issue as CWE-23, which covers improper restriction of a pathname to a restricted directory.
The CVE-2026-59792 record states that path traversal could lead to code execution in IntelliJ IDEA versions before 2026.1.4 and 2026.2. The published CVSS vector indicates that exploitation requires user interaction.
A likely risk scenario involves a developer opening or interacting with an untrusted project that contains a crafted workspace identifier. A successful attack could affect the confidentiality and integrity of files accessible to the developer’s account.
| CVE-2026-59792 factor | Published value |
|---|---|
| Attack vector | Network |
| Attack complexity | Low |
| Privileges required | None |
| User interaction | Required |
| JetBrains CVSS score | 9.6, Critical |
| Researcher | Antoni Tremblay |
Why the IntelliJ IDEA Vulnerability Matters
Integrated development environments regularly process project files, build instructions, plugins and source-control metadata. Developers may download unfamiliar repositories when reviewing contributions, testing dependencies or investigating reported bugs.
A project-based code execution path can turn that normal workflow into an initial-access opportunity. The attacker may not need to compromise the organization’s central source repository if they can persuade one developer to open a crafted project elsewhere.
Organizations should treat externally sourced projects as untrusted content. Security teams should also review whether developer accounts have unnecessary access to production credentials, signing keys, cloud tokens or CI/CD systems.
TeamCity Perforce Integration Allowed Arbitrary File Access
CVE-2026-59793 affects TeamCity’s integration with the Perforce version control system. JetBrains classified it as CWE-73, which describes externally controlled file names or paths.
According to the CVE-2026-59793 advisory, TeamCity versions before 2026.1.2 could allow arbitrary file access through the Perforce VCS integration. The issue carries a JetBrains CVSS score of 8.8.
The published vector indicates that an attacker would need low-level privileges but would not require user interaction. Depending on the TeamCity configuration and accessible files, exploitation could expose sensitive information or affect data used by build processes.
- Repository credentials and configuration files
- Build scripts and environment information
- Secrets stored in accessible files
- Source code and generated build artifacts
- Files used by connected automation services
Two Stored XSS Vulnerabilities Affected TeamCity
JetBrains patched two stored cross-site scripting vulnerabilities in TeamCity. Stored XSS allows attacker-controlled content to remain inside an application and execute when another user views an affected page.
CVE-2026-59794 involved agent-reported data displayed on the TeamCity cloud profile page. JetBrains assigned the vulnerability a 7.3 High score, while NVD currently provides a separate 5.4 Medium assessment.
CVE-2026-59795 allowed stored XSS through unauthenticated agent registration. JetBrains scored it at 8.1 High, while NVD currently lists a separate 6.1 Medium score.
| Vulnerability | Input source | Privileges required | User interaction |
|---|---|---|---|
| CVE-2026-59794 | Agent-reported cloud profile data | Low | Required |
| CVE-2026-59795 | Unauthenticated agent registration | None | Required |
Stored XSS Could Target TeamCity Users
Exploitation would require a TeamCity user to view the affected interface. The browser could then process malicious content within the context of the TeamCity application.
Potential consequences can include unauthorized actions performed through the victim’s active session, manipulation of the displayed interface or exposure of information available to the affected user. The actual impact would depend on browser controls, TeamCity permissions and the malicious payload.
Administrators should review unexpected agent registrations and cloud-profile data after updating. They should also investigate suspicious activity involving privileged TeamCity accounts.
Missing Authorization Exposed TeamCity Pipelines
CVE-2026-59796 resulted from improper permission checks in TeamCity. JetBrains classified the vulnerability as CWE-862, or missing authorization.
The CVE-2026-59796 record says a low-privileged user could modify pipeline configurations without the required authorization in TeamCity versions before 2026.1.2. The vulnerability has a CVSS score of 8.1.
Unauthorized pipeline changes can create software supply-chain risk. An attacker who alters build instructions may be able to change compiled output, redirect deployment activity or introduce unapproved steps into a release process.
- Review recent pipeline and build-configuration changes.
- Confirm that every modification has an expected owner and change record.
- Inspect build steps that download or execute external content.
- Review changes to artifact destinations and deployment targets.
- Rotate exposed secrets if unauthorized pipeline activity is discovered.
YouTrack CSS Injection Carried Lower Severity
CVE-2026-59791 affected Mermaid diagram rendering in YouTrack. The flaw could allow an authenticated user to inject CSS that changes how content appears to another user.
The CVE-2026-59791 entry gives the issue a CVSS score of 3.5 and classifies it as CWE-1021, or improper restriction of rendered user-interface layers or frames.
CSS injection does not provide the same direct script-execution capability as cross-site scripting. It can still alter page presentation, hide interface elements or create misleading content that supports phishing and user-interface deception.
| YouTrack issue detail | Value |
|---|---|
| Affected versions | Versions before 2026.2.17012 |
| Fixed version | 2026.2.17012 |
| Privileges required | Low |
| User interaction | Required |
| CVSS score | 3.5, Low |
| Researcher | Rohit Prasanth, also known as h3ri0s |
Which JetBrains Versions Should Be Installed?
Users should verify the exact version running on every workstation and server. Updating a central JetBrains service does not patch locally installed IntelliJ IDEA clients, while updating developer workstations does not protect a self-hosted TeamCity or YouTrack server.
The JetBrains security update list identifies IntelliJ IDEA 2026.1.4 and 2026.2, TeamCity 2026.1.2, and YouTrack 2026.2.17012 as the relevant fixed releases.
| Product | Vulnerable range | Recommended version |
|---|---|---|
| IntelliJ IDEA | Before 2026.1.4 in the 2026.1 line and before 2026.2 | 2026.1.4, 2026.2 or later |
| TeamCity | Before 2026.1.2 | 2026.1.2 or later |
| YouTrack | Before 2026.2.17012 | 2026.2.17012 or later |
Post-Update Checks for TeamCity Administrators
Installing TeamCity 2026.1.2 closes the four reported vulnerabilities, but administrators should also look for evidence that someone abused an older deployment. This matters because TeamCity often holds source-control credentials, build secrets and permissions affecting production releases.
Teams should preserve relevant logs before conducting a deeper investigation. If they identify unauthorized pipeline activity or file access, they should rotate potentially exposed credentials and rebuild affected artifacts from a trusted state.
- Confirm that every TeamCity server runs version 2026.1.2 or later.
- Review recently registered and unauthorized build agents.
- Audit cloud profile data and administrative activity.
- Examine Perforce integration activity for unexpected paths or file access.
- Review pipeline modifications and permission changes.
- Compare recent artifacts with trusted source and build definitions.
- Rotate repository, signing and deployment credentials if compromise is suspected.
Developer Workstations Also Need Attention
Organizations may prioritize internet-facing TeamCity and YouTrack servers while overlooking IntelliJ IDEA installations. CVE-2026-59792 shows why endpoint patching also matters in development environments.
Security teams should inventory IDE versions and use centralized software management where possible. Developers should avoid opening projects from unknown sources until the IDE has been updated.
Access controls can reduce the effect of an IDE compromise. Developer accounts should not retain unrestricted production credentials, long-lived cloud keys or unnecessary access to release-signing systems.
No Active Exploitation Reported in the Advisories
The public JetBrains and NVD records reviewed for these six vulnerabilities do not describe active exploitation. That absence should not be treated as proof that exploitation cannot occur.
Development and CI/CD platforms remain valuable targets because they can provide access to source code, credentials, artifacts and deployment workflows. Public disclosure can also help attackers study affected components and search for unpatched installations.
Organizations should install the fixed releases promptly, validate the updates and review sensitive TeamCity activity. Systems involved in software builds and releases deserve priority because a single compromise can affect many downstream users.
FAQ
JetBrains patched six vulnerabilities across IntelliJ IDEA, TeamCity and YouTrack. The group includes one critical issue, four high-severity issues and one low-severity issue.
CVE-2026-59792 is the most severe. It is a critical IntelliJ IDEA path traversal vulnerability that could lead to code execution when a user interacts with a malicious project.
TeamCity 2026.1.2 fixes CVE-2026-59793, CVE-2026-59794, CVE-2026-59795 and CVE-2026-59796. Versions before 2026.1.2 are affected.
JetBrains fixed CVE-2026-59792 in IntelliJ IDEA 2026.1.4 and 2026.2. Users should install one of these releases or a later supported version.
Administrators should review agent registrations, Perforce file-access activity, pipeline modifications, permission changes and recent build artifacts for unauthorized activity.
The JetBrains and NVD records reviewed for these vulnerabilities do not report active exploitation. Organizations should still patch promptly because development and CI/CD systems are high-value targets.
Read our disclosure page to find out how can you help VPNCentral sustain the editorial team Read more
User forum
0 messages