{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-25848", "assignerOrgId": "547ada31-17d8-4964-bc5f-1b8238ba8014", "state": "PUBLISHED", "assignerShortName": "JetBrains", "dateReserved": "2026-02-06T14:16:37.453Z", "datePublished": "2026-02-09T10:39:02.452Z", "dateUpdated": "2026-02-26T15:04:14.813Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "547ada31-17d8-4964-bc5f-1b8238ba8014", "shortName": "JetBrains", "dateUpdated": "2026-02-09T10:39:02.452Z"}, "problemTypes": [{"descriptions": [{"lang": "en", "description": "CWE-306", "cweId": "CWE-306"}]}], "affected": [{"vendor": "JetBrains", "product": "Hub", "versions": [{"version": "0", "status": "affected", "lessThan": "2025.3.119807", "versionType": "semver"}], "defaultStatus": "unaffected"}], "descriptions": [{"lang": "en", "value": "In JetBrains Hub before 2025.3.119807 authentication bypass allowing administrative actions was possible"}], "references": [{"url": "https://www.jetbrains.com/privacy-security/issues-fixed/"}], "metrics": [{"format": "CVSS", "scenarios": [{"lang": "en", "value": "GENERAL"}], "cvssV3_1": {"version": "3.1", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "NONE", "baseScore": 9.1, "baseSeverity": "CRITICAL", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N"}}]}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-25848", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "total"}], "version": "2.0.3", "timestamp": "2026-02-10T04:55:23.404135Z"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-02-26T15:04:14.813Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-25848", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "total"}], "version": "2.0.3", "timestamp": "2026-02-10T04:55:23.404135Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-02-09T13:40:29.151Z"}}], "cna": {"metrics": [{"format": "CVSS", "cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 9.1, "attackVector": "NETWORK", "baseSeverity": "CRITICAL", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}, "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "affected": [{"vendor": "JetBrains", "product": "Hub", "versions": [{"status": "affected", "version": "0", "lessThan": "2025.3.119807", "versionType": "semver"}], "defaultStatus": "unaffected"}], "references": [{"url": "https://www.jetbrains.com/privacy-security/issues-fixed/"}], "descriptions": [{"lang": "en", "value": "In JetBrains Hub before 2025.3.119807 authentication bypass allowing administrative actions was possible"}], "problemTypes": [{"descriptions": [{"lang": "en", "cweId": "CWE-306", "description": "CWE-306"}]}], "providerMetadata": {"orgId": "547ada31-17d8-4964-bc5f-1b8238ba8014", "shortName": "JetBrains", "dateUpdated": "2026-02-09T10:39:02.452Z"}}}, "cveMetadata": {"cveId": "CVE-2026-25848", "state": "PUBLISHED", "dateUpdated": "2026-02-26T15:04:14.813Z", "dateReserved": "2026-02-06T14:16:37.453Z", "assignerOrgId": "547ada31-17d8-4964-bc5f-1b8238ba8014", "datePublished": "2026-02-09T10:39:02.452Z", "assignerShortName": "JetBrains"}, "dataVersion": "5.2"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:jetbrains:hub:*:*:*:*:*:*:*:*", "matchCriteriaId": "5022BCE5-1AB2-49DE-B76C-1A18AFC5CD69", "versionEndExcluding": "2025.3.119807", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "In JetBrains Hub before 2025.3.119807 authentication bypass allowing administrative actions was possible"}, {"lang": "es", "value": "En JetBrains Hub antes de 2025.3.119807 la omisi\u00f3n de autenticaci\u00f3n permitiendo acciones administrativas era posible"}], "id": "CVE-2026-25848", "lastModified": "2026-02-18T17:56:13.647", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 9.1, "baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 5.2, "source": "cve@jetbrains.com", "type": "Secondary"}, {"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 9.8, "baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 5.9, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2026-02-09T11:16:15.150", "references": [{"source": "cve@jetbrains.com", "tags": ["Vendor Advisory"], "url": "https://www.jetbrains.com/privacy-security/issues-fixed/"}], "sourceIdentifier": "cve@jetbrains.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-306"}], "source": "cve@jetbrains.com", "type": "Primary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "generic", "value": "[0,2025.3.119807)"}}], "product": "hub", "vendor": "jetbrains"}], "analysis": {"en": {"generated_at": "2026-04-18T13:05:08.317371+00:00", "value": {"mitigation_remediation": ["Upgrade JetBrains Hub to version 2025.3.119807 or later to remove the authentication bypass.", "Enable multi\u2011factor authentication for all administrative accounts and restrict administrative access to trusted IP ranges.", "Audit existing administrative accounts and delete any that are not authorized or are unnecessarily privileged."], "summary": {"action": "Immediate Patch", "impact": "Privilege Escalation"}, "threat_synthesis": {"affected_systems": "The vulnerability affects JetBrains Hub, a collaboration and project management platform. Versions released before 2025.3.119807 are vulnerable. Administrators should check the product version and immediately apply the update once available. No other vendors or product lines are impacted according to the CNA.", "description_and_impact": "In JetBrains Hub versions earlier than 2025.3.119807, an authentication bypass flaw permitted any authenticated user to execute administrative functions without proper credential verification. This missing authentication weakness (CWE\u2011306) effectively lets an attacker gain unauthorized administrative privileges, compromising the integrity of the system. The flaw can lead to modification or deletion of user accounts, configuration data, and potentially access to sensitive information stored within Hub.", "risk_and_exploitability": "With a CVSS score of 9.1 this is a critical vulnerability, yet the EPSS score is less than 1%, indicating currently very low exploitation probability. The flaw is not listed in CISA\u2019s KEV catalog. Attackers could exploit the bypass remotely by sending specially crafted requests to the Hub API or web interface, requiring only an active session or minimal authentication. Based on the description, the attack vector is inferred to involve authenticated users with access to the Hub, but the precise exploit steps are not explicitly detailed. Due to the high severity, organizations should treat this as an urgent risk that can lead to full administrative control over the Hub instance."}}}}, "created": "2026-02-10T12:23:41.561385+00:00", "title": "Authentication Bypass Allowing Administrative Actions in JetBrains Hub", "updated": "2026-04-18T13:15:25.707840+00:00", "vendors": ["jetbrains", "jetbrains$PRODUCT$hub"]}