IntelliJ IDEA RCE flaw CVE-2026-59792: opening a crafted project runs code
IntelliJ IDEA has a critical flaw (CVE-2026-59792, severity 9.6): opening a crafted project runs attacker code on your machine. All versions before 2026.1.4 and 2026.2 are affected. Update now.
Table of contents
IntelliJ IDEA has a critical flaw (CVE-2026-59792, severity 9.6): opening a crafted project runs attacker code on your machine. All versions before 2026.1.4 and 2026.2 are affected. Update now.
A serious flaw has been found in "IntelliJ IDEA," the integrated development environment (an all-in-one tool for writing programs) used by developers around the world, that lets an attacker's code run on your computer the moment you open a specially crafted project. The identifier is CVE-2026-59792, and its severity is 9.6 out of 10, in the top tier.
All an attacker needs is for the user to open (import) a project β a set of source code β that the attacker prepared, in their own IntelliJ IDEA. The instant it opens, a file gets written to a location it should never reach, and the code runs from there. This is called remote code execution (RCE), one of the most severe classes of vulnerability. Affected are all versions before 2026.1.4 and before 2026.2, and the vendor, JetBrains, has already released a fix. If you use IntelliJ IDEA, update to the latest version right now.
What is IntelliJ IDEA
IntelliJ IDEA is an integrated development environment (IDE) developed by the Czech company JetBrains. An IDE is software that brings writing, running, and debugging code together into a single screen. For the Java and Kotlin languages in particular it is effectively the default choice, and millions of developers worldwide use it every day, from enterprise system development to individual app building. It comes in a free Community edition and a paid Ultimate edition, and is widely used in development teams everywhere.
This kind of development software is routinely used to open and inspect projects received from outside β source code written by other people. The very act of "opening someone else's code on your own computer" can become an entry point for attack, which is what makes IDEs dangerous. The same pattern of flaw has been reported repeatedly in developer tools, as with the vulnerability in the VS Code Java extension and the vulnerability in Amazon's AI development tool Kiro.
What is dangerous, and how far can the damage spread
This flaw is what specialists call "path traversal" (moving through directories using relative paths). There was a problem in how the internal identifier used when opening a project (the ID that points to the project's workspace) was handled, leaving it in a state where a file could be placed in a location that should have been off-limits. An attacker uses this to slip an executable file into a spot IntelliJ IDEA automatically loads, and runs code from there. The U.S. National Institute of Standards and Technology (NIST) classifies this as relative path traversal (CWE-23).
Once code runs on the computer, the attacker can do virtually anything, with the same privileges as the user operating that machine. Stealing source code and work files, harvesting saved passwords and cloud credentials, installing other malware, building a foothold into the corporate network β the damage can spread quickly. Developers' machines often hold keys and access rights to production environments, so there is a risk of the damage cascading through an entire company from there. The severity score of 9.6 reflects this "size of impact you can seize just by having someone open a file."
No login is required, but it does take one step: the user opening a crafted project. It is not something that lands by indiscriminately scanning the internet, but conversely, the very habit of opening an attractive repository published on GitHub, or code handed to you at work, without suspicion, is what gets targeted. Just like the vulnerability in the AI coding tool Cline, where merely opening a malicious site let attackers operate the PC, a developer's everyday act of "opening" becomes the trigger.
Who targets this hole, and what happens
The likely exploiters of this vulnerability are attackers who hijack developers' computers to steal production credentials and source code, and ransomware groups or supply-chain attackers looking for a foothold into a company's systems. A developer's device often holds a "keyring" to internal systems and cloud services, making it a high-value target for attackers.
The flow of attack goes like this. Attackers distribute a crafted project disguised as a handy library, an interview assignment, or a work handoff, and the moment the victim opens it in IntelliJ IDEA, they run code on the computer. The technical details are below, but all it takes is "getting the target to open it," after which the operation proceeds without the user noticing.
As a result, a targeted developer can have not only their work-in-progress code or customer data stolen, but also their saved cloud keys abused to break into the company's servers. In recent years, "supply-chain attacks" that break into organizations through developers and development tools have been on the rise, overlapping with the structure in which the attacking side is accelerating attacks with AI. A flaw in a development tool tends to have outsized impact precisely because it can spread beyond one person's computer to an entire organization.
What is happening from a technical standpoint
The problem lay in how the internal processing works when a project is opened. A single identifier has been assigned to it.
CVE-2026-59792: from the handling of the project's workspace ID, an executable file can be planted
When IntelliJ IDEA opens a project, it reads and writes configuration files and the like based on an identifier that indicates the project's workspace (the workspace ID). This identifier was supposed to point only inside a designated folder. This time, however, if characters that move to a parent folder, such as "../", are mixed into this value, a file can be written outside the designated range. NIST classifies this as directory traversal via relative paths (CWE-23).
The attack technique goes like this. An attacker prepares a project with a crafted workspace ID, and when the victim opens it, a file containing the attacker's code is written to a location that IntelliJ IDEA automatically loads, such as at startup, and runs from there. No login is required (no privileges needed), but the victim opening the project is the trigger. In the CVSS breakdown, it carries a "scope change (S:C)" indicating impact spreading beyond the software itself, and impact on confidentiality and integrity is rated "High." JetBrains published a fix correcting the handling of this identifier as a security update, resolved in 2026.1.4 and 2026.2.
Affected versions and countermeasures
Affected are all versions of IntelliJ IDEA before 2026.1.4 and before 2026.2. Since the vendor has released a fix, the fundamental countermeasure is to update to 2026.1.4 or 2026.2 or later. Apply the latest version from the IDE's "Check for Updates."
| Your situation | Severity | What to do |
|---|---|---|
| Before 2026.1.4 / 2026.2 Γ you open external code | Most dangerous (code runs on open) | Update now Don't open untrusted code |
| Before 2026.1.4 / 2026.2 Γ only your own code | Update needed | Update soon |
| 2026.1.4 / 2026.2 or later (latest) | Patched | This hole is closed |
As a stopgap if you cannot update immediately, not opening projects of unknown origin is the most effective. IntelliJ IDEA also has a mechanism to open untrusted projects in a restricted way ("Safe Mode" for handling untrusted projects safely), so when you open code you have no memory of, do not grant it trust. These are only time-buying measures, however; fundamentally you need to update to the latest version.
What is confirmed, and what is still unknown
β Confirmed facts
- βOpening a crafted project causes code to run via path traversal. No login required; the user's action of opening it is required (NVD)
- βThe cause is relative path traversal in the handling of the project's workspace ID (CWE-23)
- βAffected are versions before 2026.1.4 and before 2026.2; JetBrains has released a fix. Severity is 9.6 (NVD)
? Not yet confirmed
- ?As of publication, there is no official report of this vulnerability being used in an actual attack
- ?As of publication, it is not listed in the "Known Exploited Vulnerabilities catalog (KEV)" published by the U.S. government's CISA (you can check the latest KEV status here)
- ?Attacks targeting developers tend to spread across an entire organization, and exploitation often begins after public disclosure β caution is warranted
What you can do right now
The core countermeasure is clear. The top priority is to update IntelliJ IDEA to 2026.1.4 or 2026.2 or later. Run "Check for Updates" from the IDE's "Help" menu and apply the latest version. If you install multiple IDEs together with JetBrains' management tool "Toolbox App," you can update from the Toolbox side. Because it can be exploited just by opening, every bit of delay lengthens your time at risk.
Also important is the habit of not carelessly opening projects or sample code of unknown origin. Repositories found on GitHub, code handed to you in an interview or assignment, projects sent by email or chat β do not open them casually until you have confirmed they are trustworthy. Development tools suffer a steady stream of incidents where the "open / import" action is exploited, as with flaws in extensions and preview features and a flaw where a command runs just by entering a project.
| Who you are | What you can do now | Priority |
|---|---|---|
| IntelliJ user | Update to 2026.1.4 / 2026.2 or later Don't open suspicious projects | Top priority |
| Dev team admin | Check everyone's version and update all at once Review distribution via Toolbox | High |
| Suspect you opened bad code | Reissue credentials, inspect the device Investigate suspicious traffic and files | High |
Frequently asked questions
Q. How can I check whether my IntelliJ IDEA is an affected version?
A. Launch IntelliJ IDEA and open "About" under the "Help" menu to see your current version. If it is before 2026.1.4 or before 2026.2, it is affected. Update to the latest version via "Check for Updates." Both the free Community edition and the paid Ultimate edition need updating if they are on an affected version.
Q. Am I safe if I only open code I wrote myself?
A. Because exploitation requires "opening a project crafted by an attacker," if you never open external code at all, the chance of immediate exploitation is low. However, you routinely have chances to open externally sourced projects, such as pulling in libraries or receiving code from colleagues. The sure thing is to update to the latest version.
Q. Is it already being exploited in attacks?
A. As of this article's publication, there is no official report of this vulnerability being used in an actual attack. It is not listed in the U.S. CISA's Known Exploited Vulnerabilities catalog (KEV) either. However, attacks targeting developers tend to grow large, and once a fix is public the technique is often analyzed and exploitation begins, so updating early is safer.
Q. Are tools based on IntelliJ, such as Android Studio, also at risk?
A. There are several development tools built on IntelliJ IDEA, but whether they are affected depends on each product's build and the version it incorporated. This identifier (CVE-2026-59792) was assigned to IntelliJ IDEA. If you use a derivative tool, check the security information published by its respective vendor.
Summary
This case is about how IntelliJ IDEA, a staple development tool used by developers worldwide, mishandled the identifier used when opening a project, so that merely opening a crafted project can run code on your computer. CVE-2026-59792 can be exploited without a login (the user's action of opening is required), and its severity is a top-tier 9.6. What makes it troublesome is that developers' machines often hold the organization's keys, so the damage does not stay with one individual.
The saving grace is that JetBrains has already released a fix. Simply updating to 2026.1.4 or 2026.2 or later prevents it. Working on the assumption that development tools are easily attacked through the everyday action of "opening someone else's code," it is worth building habits of frequent updates and not casually opening code of unknown origin. If there is any new sign of exploitation, we will report it again.
References

Makoto Horikawa
Backend Engineer / AWS / Django