JetBrains has recently addressed six security vulnerabilities across its suite of development and project management tools, including IntelliJ IDEA, TeamCity, and YouTrack. These vulnerabilities, if exploited, could have led to significant security breaches, underscoring the importance of timely software updates.
Critical Vulnerability in IntelliJ IDEA
The most severe of these issues, identified as CVE-2026-59792, involved improper path handling within IntelliJ IDEA. This flaw allowed attackers to manipulate project workspace IDs, potentially leading to path traversal and arbitrary code execution. The vulnerability was reported by security researcher Antoni Tremblay and has been rectified in IntelliJ IDEA versions 2026.1.4 and 2026.2.
Multiple High-Severity Issues in TeamCity
TeamCity, JetBrains’ continuous integration and deployment server, was found to have several high-severity vulnerabilities:
- CVE-2026-59793: This issue resided in TeamCity’s Perforce VCS integration, where improper handling of file paths could grant unauthorized access to arbitrary files. The flaw was reported by researcher @maple3142 and has been addressed in TeamCity version 2026.1.2.
- CVE-2026-59794 and CVE-2026-59795: These stored cross-site scripting (XSS) vulnerabilities allowed malicious scripts to be injected and executed in users’ browsers. The first was related to agent-reported data on the cloud profile page, while the second could be triggered through unauthenticated agent registration. Both vulnerabilities have been patched in the latest TeamCity release.
- CVE-2026-59796: This flaw involved improper authorization checks, enabling unauthorized users to modify CI/CD pipeline configurations. Such unauthorized modifications could compromise build integrity and pose risks to the software supply chain. The issue was reported by researcher Alwion and has been fixed in TeamCity version 2026.1.2.
CSS Injection Vulnerability in YouTrack
YouTrack, JetBrains’ issue tracker and project management tool, contained a low-severity vulnerability identified as CVE-2026-59791. This issue allowed for CSS injection through Mermaid diagram rendering, potentially leading to altered page presentations and facilitating phishing or user interface deception attacks. The vulnerability was reported by Rohit Prasanth (h3ri0s) and has been addressed in YouTrack version 2026.2.17012.
Organizations utilizing these JetBrains products are strongly advised to upgrade to the latest versions: IntelliJ IDEA 2026.1.4 or 2026.2, TeamCity 2026.1.2, and YouTrack 2026.2.17012. Additionally, administrators should review TeamCity agent registration settings, audit recent pipeline changes, and monitor access logs for any unusual repository or file-access activities.
These recent patches highlight the critical need for organizations to maintain up-to-date software to protect against potential security threats. Regular updates and vigilant monitoring are essential components of a robust cybersecurity strategy.