Cyber Resilience

CVE-2026-25848

Critical

Published: 09 February 2026

Published
09 February 2026
Modified
18 February 2026
KEV Added
Patch
CVSS Score v3.1 9.1 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N
EPSS Score 0.0043 33.9th percentile
Risk Priority 70 floored blend · peak EPSS

Summary

CVE-2026-25848 is a critical-severity Missing Authentication for Critical Function (CWE-306) vulnerability in Jetbrains Hub. Its CVSS base score is 9.1 (Critical).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 33.9th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 AC-14 (Permitted Actions Without Identification or Authentication) and IA-2 (Identification and Authentication (Organizational Users)).

Deeper analysis

CVE-2026-25848 is an authentication bypass vulnerability (CWE-306) affecting JetBrains Hub versions prior to 2025.3.119807. It enables attackers to perform administrative actions without valid credentials. The issue carries a CVSS v3.1 base score of 9.1 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N), indicating critical severity due to its network accessibility, low attack complexity, and lack of prerequisites like privileges or user interaction.

A remote, unauthenticated attacker can exploit this vulnerability over the network to bypass authentication mechanisms in JetBrains Hub. Successful exploitation grants administrative privileges, allowing high-impact compromise of confidentiality (e.g., unauthorized data access) and integrity (e.g., data modification), with no direct availability disruption.

JetBrains has mitigated this vulnerability in Hub version 2025.3.119807 and later. Security practitioners should review the vendor's issues fixed advisory at https://www.jetbrains.com/privacy-security/issues-fixed/ for patch details and upgrade instructions. The CVE was published on 2026-02-09.

OWASP Top 10 for Web (2025)

EU & UK References

Vulnerability details

In JetBrains Hub before 2025.3.119807 authentication bypass allowing administrative actions was possible

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
T1068 Exploitation for Privilege Escalation Privilege Escalation
Adversaries may exploit software vulnerabilities in an attempt to elevate privileges.
Why these techniques?

Auth bypass (CWE-306) in network-accessible JetBrains Hub directly enables remote unauthenticated exploitation of a public-facing app (T1190) to obtain admin privileges (T1068).

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

CVEs Like This One

CVE-2025-24456Same product: Jetbrains Hub
CVE-2026-44413Same vendor: Jetbrains
CVE-2026-33392Same vendor: Jetbrains
CVE-2026-26055Shared CWE-306
CVE-2026-29796Shared CWE-306
CVE-2025-59246Shared CWE-306
CVE-2026-27028Shared CWE-306
CVE-2026-25192Shared CWE-306
CVE-2026-28193Same vendor: Jetbrains
CVE-2026-2417Shared CWE-306

Affected Assets

jetbrains
hub
≤ 2025.3.119807

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Requires timely remediation of the specific authentication bypass flaw through patching to version 2025.3.119807 or later.

prevent

Limits administrative actions to only those explicitly permitted without identification or authentication, preventing unauthorized admin access.

prevent

Mandates implementation of robust identification and authentication mechanisms to block bypass vulnerabilities like this one.

References