JetBrains Hub Hit by Perfect 10.0 Flaw (CVE-2026-50242): Admin Takeover With No Password, Update Now

On June 19, 2026, developer-tools maker JetBrains disclosed three critical vulnerabilities in its login-management service, JetBrains Hub. The most severe scores a perfect 10.0 out of 10: an attacker can slip past identity checks from outside and gain administrative access. The other two rate 9.8 and 9.9, both letting an attacker impersonate other users or administrators. Fixes are already available. Any organization self-hosting Hub on its own servers or cloud needs to update now.

JetBrains Hub is the foundation that manages logins and accounts across JetBrains' team products, such as the issue tracker YouTrack and the build/test automation server TeamCity. It sits at the center of single sign-on, letting one ID unlock several tools at once. Three holes were found at the root of that login layer at the same time. They carry the IDs CVE-2026-50242, CVE-2026-56141, and CVE-2026-56142. A CVE number is the globally shared serial ID assigned to a vulnerability.

The good news, as noted above, is that the fixes shipped alongside JetBrains' official security notice. There is also no record of these being exploited in the wild (no listing on the U.S. government's catalog of vulnerabilities known to be under attack) as of disclosure. Still, a perfect 10.0 means "if the attack lands, the damage is enormous and the bar to pull it off is low." This is the kind of flaw to close before attackers move, not after the exploit goes public.

What is JetBrains Hub?

JetBrains is a major maker of the development software programmers use every day, including the coding environment IntelliJ IDEA and the Python tool PyCharm, both widely used in development teams in Japan and worldwide. Hub is the part that handles central management of IDs (accounts) for that team-product family.

Concretely, for tools like YouTrack (which tracks bugs and tasks) and TeamCity (which automatically builds, tests, and ships software), Hub manages "who this person is and what they are allowed to do" in one place. To a user, logging into Hub once unlocks all the tools beneath it. The flip side is that if Hub's admin rights are stolen, the attacker can enter every tool below it as an administrator. It is widely used by organizations that run JetBrains' tools on their own servers or cloud rather than paying for a subscription identity platform such as Okta or Auth0.

All three flaws this time sit in the identity-verification and permission-handling of that central ID management. Break the login foundation, and everything downstream is dragged into danger too: the internal discussions recorded in YouTrack, the software-delivery rights held by TeamCity. That is exactly why this is treated as serious enough to earn a perfect score.

When the Final Gate of Development Falls, What Gets Slipped Into the Build

A perfect 10.0 on its own may not register as real. So let's look at whose hands this hole actually lands in, and what it gets used for, from the attacker's side. What Hub guards is not a mere login screen, but the final gate through which a product ships to the world.

The people who truly want this hole are ransomware crews that encrypt a company's entire dataset for a payout, nation-state attack groups that plant malicious code in a specific company's product to push it out to its users, ex-developers who just left and know the internal layout cold, and brokers who resell stolen access on underground markets. What they are after is the product's source code itself, the keys that sign the built artifacts, the passwords that push to production servers, cloud API keys, and the discussions of bugs and vulnerabilities not yet disclosed left in YouTrack. The moment CVE-2026-50242 lets identity checks at the entrance be bypassed, control of the admin console that binds all of this passes straight into the attacker's hands.

The frightening part is that the damage does not end at data theft. Seize a build-and-delivery automation platform like TeamCity, and an attacker can blend malicious code into the legitimate build pipeline. This is called a supply-chain attack, and it is the highest-reach technique of all: the poisoned product flows on to the customers and users who receive it as-is. Because it is carried out under a legitimate employee account, it is hard to tell apart from normal development work in the logs, and by the time anyone notices, a signed fake update may already be going out. If a departed employee's account was left undeleted, that route can stay alive for months unnoticed.

A perfect CVSS 10.0 is only a label marking the maximum technical severity. What a development team really stands to lose is the source code built up over years, and the trust of customers who believed it was "a company that ships safely." Having your own development platform turned into the tool that poisons your own product is the worst-case scenario of this vulnerability.

What Are the Three Flaws? (CVE by CVE)

All three are of the "slip past identity checks" / "impersonate another user or admin" family. JetBrains' notice describes each only briefly, so here we lay out what each one allows, in line with the published wording. The concrete attack steps have not been released.

CVE-2026-50242: Jump past identity checks and become an admin (score 10.0)

The most severe of the three, a perfect-score flaw. JetBrains states that "authentication bypass via direct database access leading to administrative access was possible." An authentication bypass means getting inside without going through the login or identity checks that should be required. The reason the score climbs all the way to 10.0 is that no special privilege is needed for the attack (no prior login), no user interaction is required, and the impact does not stay within Hub but spreads to the tools beneath it (the scope changes). The breakdown of the severity metric, CVSS, can be checked on NVD (the U.S. National Vulnerability Database). By classification it falls under "a critical function with no authentication on it" (CWE-306).

CVE-2026-56141: "Predict" the password and take over an account (score 9.8)

A flaw where the "account-recovery code (restore code)," used when you forget a password and so on, was built in a way that could be predicted. Such codes must be generated randomly so that no one can guess them. But the values were produced poorly, leaving an attacker able to guess the code that would be issued next. Exploit it, and an attacker can take over someone else's account with no prior login and no user interaction. The score is 9.8. Technically it is classified as "use of a cryptographically weak random number generator" (CWE-338). Details are on the NVD page.

CVE-2026-56142: Raise yourself from a regular user to an admin (score 9.9)

The second-highest of the three, scoring 9.9. JetBrains states that "privilege escalation by attaching authentication details to accounts was possible." Privilege escalation means a regular user who should hold only limited rights illicitly obtaining higher rights, such as administrator. If you already had an account that could log into Hub, you could raise your own privileges from there. The 9.9 reflects a judgment that the impact crosses beyond Hub itself to the tools beneath it (the scope changes). On the NVD page, it is classified as "improper modification of dynamically determined object attributes" (CWE-915).

Each of the three is dangerous on its own, but chained together they get worse. For example, take over a regular account with CVE-2026-56141, then raise its privileges to admin with CVE-2026-56142. The very fact that this many holes were open at the login core at the same time is itself a reason to update urgently.

Vulnerability Summary

All three share the trait of being exploitable over the network (reachable across an internal network or the internet). In particular, CVE-2026-50242 and CVE-2026-56141 are scored as not requiring the attacker to hold an account beforehand, making them possible entry points from outside. As of the time of writing, these three are not listed in "KEV," the catalog of vulnerabilities confirmed under attack published by the U.S. CISA (the cybersecurity agency under the Department of Homeland Security). That said, perfect-score flaws draw attacker interest, and the situation can change.

Are You at Risk? (Version Quick-Reference)

JetBrains has issued fixes for each of several generations (release lines). Check which line your Hub is on and raise it to the matching fixed version or later. Any version older than the number on the right of the table below is affected.

Because JetBrains has backported the fix into each supported line, you do not need to leap across generations to upgrade. Just move to the fixed build within your current line. If you run a setup where Hub is embedded in YouTrack or TeamCity, also check the update notices for those products. And if you use the JetBrains-hosted cloud version, the provider handles the fix, so generally no action is needed on the user side.

What to Do Right Now

Since fixes exist, the core of the response is to "update promptly." If you run Hub yourself (including YouTrack/TeamCity that bundle Hub), consider the following steps.

1. Update to the fixed version first. Find the fixed build matching your line in the table above and apply it as soon as possible. The perfect-score CVE-2026-50242 can be exploited with no prior login, so a Hub exposed to the internet is especially high-priority.

2. If you can't update immediately, restrict external access. If maintenance windows make an immediate update hard, limit access to Hub's admin console and login endpoint to your internal network or VPN, temporarily cutting off direct access from the internet. Narrowing the path an attack can travel buys time until you update.

3. Audit admin accounts and suspicious logins. Check whether unfamiliar admin accounts have appeared, and whether there are login or permission-change records you don't recognize. Because CVE-2026-56142 leads to privilege escalation and CVE-2026-56141 to account takeover, it's reassuring to check whether they were already abused before you update.

4. Rotate the critical secrets in downstream tools. If you can't rule out that Hub was breached, reissue critical secrets just in case, such as the delivery passwords and API keys held by TeamCity and the build signing keys. Use the occasion to take inventory of any leftover accounts for departed or reassigned staff.

To an attacker, the login core is "a master key that opens every room in the building once you get through one door." Holes that slip past identity checks, like this one, keep turning up in other login platforms too. Recent examples include the Casdoor case, where nine holes of the same kind were found at once in an open-source login platform, and the GitLab account takeover in self-hosted setups. If your organization runs a login platform itself, we recommend regularly reviewing which login routes you accept and taking inventory of accounts, alongside applying the fix.

References

• ▸JetBrains - Fixed security issues (official security notice) (June 19, 2026)
• ▸NVD - CVE-2026-50242 (auth bypass leading to admin access, 10.0)
• ▸NVD - CVE-2026-56141 (account takeover via predictable restore codes, 9.8)
• ▸NVD - CVE-2026-56142 (privilege escalation via attached auth details, 9.9)
• ▸CIRCL Vulnerability-Lookup - CVE-2026-50242
• ▸JetBrains Hub product page
• ▸CISA - Known Exploited Vulnerabilities Catalog (confirmed not listed)