CVE-2026-25848

Critical

Published: 09 February 2026

Published

09 February 2026

Modified

18 February 2026

KEV Added

—

Patch

—

CVSS Score 9.1 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N

EPSS Score 0.0001 0.2th percentile

Risk Priority 18 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2026-25848 is a critical-severity Missing Authentication for Critical Function (CWE-306) vulnerability in Jetbrains Hub. Its CVSS base score is 9.1 (Critical).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 0.2th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 AC-14 (Permitted Actions Without Identification or Authentication) and IA-2 (Identification and Authentication (Organizational Users)).

Threat & Defense at a Glance

What attackers do: exploitation maps to Exploit Public-Facing Application (T1190) and 1 other technique. What defenders deploy: see the NIST 800-53 controls recommended below.

Threat & Defense Details

Mitigating Controls (NIST 800-53 r5)AI

SI-2 Flaw Remediation good match

prevent

Requires timely remediation of the specific authentication bypass flaw through patching to version 2025.3.119807 or later.

AC-14 Permitted Actions Without Identification or Authentication good match

prevent

Limits administrative actions to only those explicitly permitted without identification or authentication, preventing unauthorized admin access.

IA-2 Identification and Authentication (Organizational Users) good match

prevent

Mandates implementation of robust identification and authentication mechanisms to block bypass vulnerabilities like this one.

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access

Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.

attack.mitre.org →

T1068 Exploitation for Privilege Escalation Privilege Escalation

Adversaries may exploit software vulnerabilities in an attempt to elevate privileges.

attack.mitre.org →

Why these techniques?

Auth bypass (CWE-306) in network-accessible JetBrains Hub directly enables remote unauthenticated exploitation of a public-facing app (T1190) to obtain admin privileges (T1068).

Confidence: HIGH · MITRE ATT&CK Enterprise v18.1

NVD Description

In JetBrains Hub before 2025.3.119807 authentication bypass allowing administrative actions was possible

Deeper analysisAI

CVE-2026-25848 is an authentication bypass vulnerability (CWE-306) affecting JetBrains Hub versions prior to 2025.3.119807. It enables attackers to perform administrative actions without valid credentials. The issue carries a CVSS v3.1 base score of 9.1 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N), indicating critical severity due to its network accessibility, low attack complexity, and lack of prerequisites like privileges or user interaction.

A remote, unauthenticated attacker can exploit this vulnerability over the network to bypass authentication mechanisms in JetBrains Hub. Successful exploitation grants administrative privileges, allowing high-impact compromise of confidentiality (e.g., unauthorized data access) and integrity (e.g., data modification), with no direct availability disruption.

JetBrains has mitigated this vulnerability in Hub version 2025.3.119807 and later. Security practitioners should review the vendor's issues fixed advisory at https://www.jetbrains.com/privacy-security/issues-fixed/ for patch details and upgrade instructions. The CVE was published on 2026-02-09.