JetBrains Patches 6 Vulnerabilities in TeamCity, YouTrack, IntelliJ IDEA
Key Takeaways JetBrains has released patches for six security vulnerabilities across its IntelliJ IDEA, TeamCity, and YouTrack products. A critical path traversal flaw (CVE-2026-59792) in IntelliJ...
Key Takeaways
- JetBrains has released patches for six security vulnerabilities across its IntelliJ IDEA, TeamCity, and YouTrack products.
- A critical path traversal flaw (CVE-2026-59792) in IntelliJ IDEA could lead to remote code execution.
- TeamCity was affected by four high-severity issues, including arbitrary file access and multiple stored cross-site scripting (XSS) vulnerabilities.
- A low-severity CSS injection flaw (CVE-2026-59791) was addressed in YouTrack.
- Users are urged to update their installations immediately to the patched versions.
JetBrains has issued critical security updates to address a total of six vulnerabilities impacting its widely used software development and project management tools, including IntelliJ IDEA, TeamCity, and YouTrack. These patches resolve issues ranging from critical code execution risks to high-severity cross-site scripting flaws and unauthorized configuration modifications.
Table Of Content
Critical Code Execution Flaw in IntelliJ IDEA
The most severe vulnerability, identified as CVE-2026-59792, is a critical improper path handling flaw (CWE-23) discovered in IntelliJ IDEA. This vulnerability could allow an attacker to leverage specific project workspace ID processing to conduct path traversal attacks, potentially leading to arbitrary code execution within affected IntelliJ IDEA environments.
Security researcher Antoni Tremblay is credited with reporting this significant flaw. JetBrains has mitigated this issue in IntelliJ IDEA versions 2026.1.4 and 2026.2. Users are strongly advised to upgrade to these patched versions without delay.
Multiple High-Severity Issues in TeamCity
JetBrains’ continuous integration and delivery server, TeamCity, was found to be susceptible to four high-severity vulnerabilities. These issues could compromise build integrity, expose sensitive data, and facilitate client-side attacks.
- Arbitrary File Access (CVE-2026-59793): Reported by researcher @maple3142, this CWE-73 vulnerability affects TeamCity 2026.1.2. It resides within the Perforce VCS integration and could permit arbitrary file access through externally controlled file or path references.
- Stored Cross-Site Scripting (CVE-2026-59794 and CVE-2026-59795): Two distinct stored XSS vulnerabilities were identified. CVE-2026-59794 allows malicious JavaScript to be stored and executed when agent-reported data is displayed on the cloud profile page. CVE-2026-59795 can be triggered via unauthenticated agent registration. Successful exploitation of either XSS flaw could lead to session hijacking, unauthorized interface manipulation, or actions performed in the context of a logged-in TeamCity user.
- Unauthorized Pipeline Modifications (CVE-2026-59796): Researcher Alwion reported this CWE-862 improper authorization check vulnerability. It could enable users to modify CI/CD pipeline configurations without the necessary permissions, posing substantial risks to build integrity and the overall software supply chain security.
All four high-severity vulnerabilities affecting TeamCity have been addressed in TeamCity version 2026.1.2. For a comprehensive list of fixed issues, users can refer to the JetBrains patched vulnerabilities page.
Low-Severity CSS Injection in YouTrack
JetBrains also resolved a low-severity vulnerability, CVE-2026-59791, in its project management and issue tracking tool, YouTrack. This issue, reported by Rohit Prasanth (h3ri0s), allows for CSS injection through Mermaid diagram rendering in YouTrack version 2026.2.17012.
While this CSS injection cannot directly execute scripts, it can be exploited to alter page presentation, potentially facilitating phishing attacks or user interface deception. Users of YouTrack should update to version 2026.2.17012 to mitigate this risk.
What You Should Do
- Upgrade Immediately: All organizations utilizing the affected JetBrains products should upgrade to the patched versions without delay. Specifically, update to IntelliJ IDEA versions 2026.1.4 or 2026.2, TeamCity version 2026.1.2, and YouTrack version 2026.2.17012.
- Review TeamCity Settings: Administrators should review their TeamCity agent registration settings to ensure only authorized agents can connect.
- Audit Logs: Examine access logs for any unusual repository or file-access activity, especially in TeamCity environments.
- Monitor Pipeline Changes: Audit recent CI/CD pipeline changes within TeamCity for any unauthorized modifications.
Disclaimer: HackersRadar reports on cybersecurity threats and incidents for informational and awareness purposes only. We do not engage in hacking activities, data exfiltration, or the hosting or distribution of stolen or leaked information. All content is based on publicly available sources.



No Comment! Be the first one.