Skip to main content

JetBrains IntelliJ IDEA Critical Path Traversal in Workspace ID Handling Leads to Code Execution (CVE-2026-59792)

Scope: JetBrains IntelliJ IDEA Versions Before 2026.1.4 and Before 2026.2

Severity: Red

A critical path traversal vulnerability (CVSS 9.6) in JetBrains IntelliJ IDEA, disclosed July 10, 2026, allows a remote attacker to craft malicious project workspace identifiers containing ../ sequences that bypass path canonicalization in the IDE's workspace handling logic, enabling arbitrary file system access and ultimately code execution on the developer's machine when the crafted project is opened. Given that IntelliJ IDEA is the dominant IDE for Java, Kotlin, and enterprise backend development, compromise of a developer workstation through this vector can lead to source code theft, exposure of credentials and API keys stored in project files, build system manipulation, and supply chain poisoning via tampered artifacts. Developers must update IntelliJ IDEA to version 2026.1.4 or later using the Toolbox App, built-in IDE updater, or JetBrains website, and should avoid opening project workspaces from untrusted or unverified sources until the update is applied.

The Uganda National CERT and Coordination Center (CERT.UG/CC) encourages users and administrators to review the recommendations and apply the necessary updates.