PatchSiren cyber security CVE debrief
CVE-2026-49367 JetBrains CVE debrief
A command execution vulnerability exists in JetBrains IntelliJ IDEA versions prior to 2026.1.1. The flaw allows command execution via the guest user account, presenting a significant security risk in multi-user or shared environments where guest access may be enabled. The vulnerability is classified as HIGH severity with a CVSS score of 8.0. The attack vector is network-based with low attack complexity, requiring low privileges and user interaction. The confidentiality, integrity, and availability impacts are all rated HIGH. The underlying weakness is categorized as CWE-862 (Missing Authorization). JetBrains has addressed this issue in version 2026.1.1. Organizations should prioritize updating affected installations, particularly those with guest account functionality enabled or exposed to untrusted users.
- Vendor
- JetBrains
- Product
- IntelliJ IDEA
- CVSS
- HIGH 8
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2026-05-29
- Original CVE updated
- 2026-05-29
- Advisory published
- 2026-05-29
- Advisory updated
- 2026-05-29
Who should care
Development teams, DevSecOps engineers, and organizations using JetBrains IntelliJ IDEA in shared or multi-user configurations, particularly those with guest access enabled.
Technical summary
The vulnerability permits arbitrary command execution through the guest user account in IntelliJ IDEA. The network-accessible attack surface, combined with low privilege requirements and high impact across confidentiality, integrity, and availability, makes this a critical patching priority for development environments. The fix in 2026.1.1 addresses the missing authorization controls (CWE-862) that allowed guest users to execute commands.
Defensive priority
HIGH
Recommended defensive actions
- Upgrade JetBrains IntelliJ IDEA to version 2026.1.1 or later
- Review and disable guest user accounts if not required
- Audit access logs for suspicious activity from guest accounts
- Restrict network access to IntelliJ IDEA instances where possible
- Verify patch deployment across all developer workstations and shared environments
Evidence notes
Vulnerability confirmed through official JetBrains security advisory and NVD entry. CVSS vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H. Weakness: CWE-862 (Missing Authorization).
Official resources
-
CVE-2026-49367 CVE record
CVE.org
-
CVE-2026-49367 NVD detail
NVD
-
Source item URL
nvd_modified
- Source reference
2026-05-29T19:16:26.440Z