{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-32229", "assignerOrgId": "547ada31-17d8-4964-bc5f-1b8238ba8014", "state": "PUBLISHED", "assignerShortName": "JetBrains", "dateReserved": "2026-03-11T14:42:57.649Z", "datePublished": "2026-03-11T15:03:37.988Z", "dateUpdated": "2026-03-12T03:55:31.443Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "547ada31-17d8-4964-bc5f-1b8238ba8014", "shortName": "JetBrains", "dateUpdated": "2026-03-11T16:40:06.867Z"}, "problemTypes": [{"descriptions": [{"lang": "en", "cweId": "CWE-290", "description": "CWE-290", "type": "CWE"}]}], "affected": [{"vendor": "JetBrains", "product": "Hub", "versions": [{"status": "affected", "version": "2025.1", "lessThan": "2025.3.128064", "versionType": "semver"}], "defaultStatus": "unaffected"}], "descriptions": [{"lang": "en", "value": "In JetBrains Hub before 2026.1 possible on sign-in account mismatch with non-SSO auth and 2FA disabled", "supportingMedia": [{"type": "text/html", "base64": false, "value": "<p>In JetBrains Hub before 2026.1 possible on sign-in account mismatch with non-SSO auth and 2FA disabled</p>"}]}], "references": [{"url": "https://www.jetbrains.com/privacy-security/issues-fixed/"}], "metrics": [{"format": "CVSS", "scenarios": [{"lang": "en", "value": "GENERAL"}], "cvssV3_1": {"version": "3.1", "attackVector": "NETWORK", "attackComplexity": "HIGH", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "NONE", "baseSeverity": "MEDIUM", "baseScore": 6.8, "vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:N"}}], "source": {"discovery": "UNKNOWN"}, "x_generator": {"engine": "Vulnogram 1.0.0"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-03-11T00:00:00+00:00", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "role": "CISA Coordinator", "version": "2.0.3", "id": "CVE-2026-32229"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-12T03:55:31.443Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-32229", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "version": "2.0.3", "timestamp": "2026-03-11T15:40:23.481130Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-11T15:40:32.893Z"}}], "cna": {"source": {"discovery": "UNKNOWN"}, "metrics": [{"format": "CVSS", "cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 6.8, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:N", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "HIGH", "availabilityImpact": "NONE", "privilegesRequired": "LOW", "confidentialityImpact": "HIGH"}, "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "affected": [{"vendor": "JetBrains", "product": "Hub", "versions": [{"status": "affected", "version": "2025.1", "lessThan": "2025.3.128064", "versionType": "semver"}], "defaultStatus": "unaffected"}], "references": [{"url": "https://www.jetbrains.com/privacy-security/issues-fixed/"}], "x_generator": {"engine": "Vulnogram 1.0.0"}, "descriptions": [{"lang": "en", "value": "In JetBrains Hub before 2026.1 possible on sign-in account mismatch with non-SSO auth and 2FA disabled", "supportingMedia": [{"type": "text/html", "value": "<p>In JetBrains Hub before 2026.1 possible on sign-in account mismatch with non-SSO auth and 2FA disabled</p>", "base64": false}]}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-290", "description": "CWE-290"}]}], "providerMetadata": {"orgId": "547ada31-17d8-4964-bc5f-1b8238ba8014", "shortName": "JetBrains", "dateUpdated": "2026-03-11T16:40:06.867Z"}}}, "cveMetadata": {"cveId": "CVE-2026-32229", "state": "PUBLISHED", "dateUpdated": "2026-03-12T03:55:31.443Z", "dateReserved": "2026-03-11T14:42:57.649Z", "assignerOrgId": "547ada31-17d8-4964-bc5f-1b8238ba8014", "datePublished": "2026-03-11T15:03:37.988Z", "assignerShortName": "JetBrains"}, "dataVersion": "5.2"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:jetbrains:hub:*:*:*:*:*:*:*:*", "matchCriteriaId": "47344D2C-5821-45AD-96E4-4A0664467A24", "versionEndExcluding": "2025.3.128064", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "In JetBrains Hub before 2026.1 possible on sign-in account mismatch with non-SSO auth and 2FA disabled"}, {"lang": "es", "value": "En JetBrains Hub antes de 2026.1 era posible una discrepancia de cuenta al iniciar sesi\u00f3n con autenticaci\u00f3n no-SSO y 2FA deshabilitado"}], "id": "CVE-2026-32229", "lastModified": "2026-04-02T13:11:36.753", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 6.8, "baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:N", "version": "3.1"}, "exploitabilityScore": 1.6, "impactScore": 5.2, "source": "cve@jetbrains.com", "type": "Secondary"}, {"cvssData": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 6.8, "baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:N", "version": "3.1"}, "exploitabilityScore": 1.6, "impactScore": 5.2, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2026-03-11T15:16:31.817", "references": [{"source": "cve@jetbrains.com", "tags": ["Vendor Advisory"], "url": "https://www.jetbrains.com/privacy-security/issues-fixed/"}], "sourceIdentifier": "cve@jetbrains.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-290"}], "source": "cve@jetbrains.com", "type": "Secondary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[2025.1,2025.3.128064)"}}], "enrichment": {"confidence": 100.0, "confidence_source": "matching", "scores": [{"score": 100.0, "source": "matching"}]}, "original": {"product": "Hub", "source": "cna", "vendor": "JetBrains"}, "product": "hub", "vendor": "jetbrains"}], "analysis": {"en": {"generated_at": "2026-04-16T03:01:21.541857+00:00", "value": {"mitigation_remediation": ["Apply the JetBrains Hub 2026.1 update or later to replace affected authentication logic.", "Enable two\u2011factor authentication for all Hub accounts to eliminate the flaw\u2019s prerequisite.", "Restrict or disable non\u2011SSO authentication methods until a patch is applied, or enforce SSO onboarding for all new users."], "summary": {"action": "Patch Now", "impact": "Authentication Bypass / Account Takeover"}, "threat_synthesis": {"affected_systems": "The flaw affects JetBrains Hub versions older than 2026.1. Any deployment of Hub before that release is susceptible, regardless of the specific minor revision. It applies to all installations that rely on non\u2011SSO authentication with 2FA disabled.", "description_and_impact": "JetBrains Hub allows a user to be authenticated as an unintended account when signing in with a non\u2011SSO authentication method while two\u2011factor authentication is disabled. This flaw, identified as a credential bypass, permits an attacker to access data or perform actions on behalf of another user. The vulnerability stems from improper enforcement of account matching conditions during the sign\u2011in workflow and is catalogued as CWE\u2011290.", "risk_and_exploitability": "The CVSS base score of 6.8 places the vulnerability in a moderate risk range, while an EPSS score of less than 1% indicates a low likelihood of widespread exploitation at present. The vulnerability is not present in the CISA KEV catalog. Exploitability requires the attacker to initiate a sign\u2011in sequence with a non\u2011SSO method on an account that has 2FA turned off, making it a remote, credential\u2011based attack. The compromised accounts can then read or modify user data, potentially leading to business impact if sensitive information is accessed."}}}}, "created": "2026-03-12T10:05:45.595027+00:00", "title": "Authentication Bypass via Account Mismatch in JetBrains Hub", "updated": "2026-04-16T03:15:22.941357+00:00", "vendors": ["jetbrains", "jetbrains$PRODUCT$hub"]}