JetBrains Hub
Don't miss out!
Thousands of developers use stack.watch to stay informed.Get an email whenever new security vulnerabilities are reported in JetBrains Hub.
By the Year
In 2026 there have been 1 vulnerability in JetBrains Hub with an average score of 9.1 out of ten. Last year, in 2025 Hub had 4 security vulnerabilities published. If vulnerabilities keep coming in at the current rate, it appears that number of security vulnerabilities in Hub in 2026 could surpass last years number. However, the average CVE base score of the vulnerabilities in 2026 is greater by 4.23.
| Year | Vulnerabilities | Average Score |
|---|---|---|
| 2026 | 1 | 9.10 |
| 2025 | 4 | 4.88 |
| 2024 | 2 | 5.40 |
| 2023 | 2 | 7.60 |
| 2022 | 8 | 7.08 |
| 2021 | 11 | 7.15 |
| 2020 | 1 | 0.00 |
| 2019 | 3 | 0.00 |
It may take a day or so for new Hub vulnerabilities to show up in the stats or in the list of recent security vulnerabilities. Additionally vulnerabilities may be tagged under a different product or component name.
Recent JetBrains Hub Security Vulnerabilities
JetBrains Hub auth bypass pre-2025.3.119807 permits admin actions
CVE-2026-25848
9.1 - Critical
- February 09, 2026
In JetBrains Hub before 2025.3.119807 authentication bypass allowing administrative actions was possible
Missing Authentication for Critical Function
JetBrains Hub <2025.3.104432: Users API Info Disclosure
CVE-2025-64683
5.3 - Medium
- November 10, 2025
In JetBrains Hub before 2025.3.104432 information disclosure was possible via the Users API
Race Condition
JetBrains Hub Before 2025.3.104432: Race Condition Allows Agent-User Limit Bypass
CVE-2025-64682
2.7 - Low
- November 10, 2025
In JetBrains Hub before 2025.3.104432 a race condition allowed bypass of the Agent-user limit
Race Condition
JetBrains Hub <2025.3.104992: Race Cond Bypass Invite User Limit
CVE-2025-64681
2.7 - Low
- November 10, 2025
In JetBrains Hub before 2025.3.104992 a race condition allowed bypass of the user limit via invitations
AuthZ
JetBrains Hub LDAP Auth Mapping PrivEsc before 2024.3.55417
CVE-2025-24456
8.8 - High
- January 21, 2025
In JetBrains Hub before 2024.3.55417 privilege escalation was possible via LDAP authentication mapping
Missing Authentication for Critical Function
JetBrains Hub v<2024.3.47707 Improper Access Control Token Generation
CVE-2024-50573
5.4 - Medium
- October 28, 2024
In JetBrains Hub before 2024.3.47707 improper access control allowed users to generate permanent tokens for unauthorized services
AuthZ
JetBrains Hub <2024.2.34646> Stored XSS in Project Desc
CVE-2024-38507
5.4 - Medium
- June 18, 2024
In JetBrains Hub before 2024.2.34646 stored XSS via project description was possible
XSS
JetBrains Hub < 2023.1.15725: SSRF protection missing in Auth Module integration
CVE-2022-48477
9.8 - Critical
- April 24, 2023
In JetBrains Hub before 2023.1.15725 SSRF protection in Auth Module integration was missing
SSRF
JetBrains Hub Reflected XSS in Dashboards pre-2022.3.15573
CVE-2022-48429
5.4 - Medium
- March 27, 2023
In JetBrains Hub before 2022.3.15573, 2022.2.15572, 2022.1.15583 reflected XSS in dashboards was possible
XSS
JetBrains Hub <2022.3.15181 Email Throttling ByPass
CVE-2022-45471
7.5 - High
- November 18, 2022
In JetBrains Hub before 2022.3.15181 Throttling was missed when sending emails to a particular email address
Allocation of Resources Without Limits or Throttling
In JetBrains Hub before 2022.2.14799, insufficient access control
CVE-2022-34894
5.3 - Medium
- July 01, 2022
In JetBrains Hub before 2022.2.14799, insufficient access control allowed the hijacking of untrusted services
In JetBrains Hub before 2022.1.14638 stored XSS
CVE-2022-29811
4.8 - Medium
- April 28, 2022
In JetBrains Hub before 2022.1.14638 stored XSS via project icon was possible.
XSS
JetBrains Hub before 2021.1.14276 was vulnerable to blind Server-Side Request Forgery (SSRF).
CVE-2022-25260
9.1 - Critical
- February 25, 2022
JetBrains Hub before 2021.1.14276 was vulnerable to blind Server-Side Request Forgery (SSRF).
SSRF
In JetBrains Hub before 2022.1.14434
CVE-2022-25262
9.8 - Critical
- February 25, 2022
In JetBrains Hub before 2022.1.14434, SAML request takeover was possible.
Insufficient Verification of Data Authenticity
JetBrains Hub before 2021.1.14276 was vulnerable to reflected XSS.
CVE-2022-25259
6.1 - Medium
- February 25, 2022
JetBrains Hub before 2021.1.14276 was vulnerable to reflected XSS.
XSS
In JetBrains Hub before 2021.1.13956
CVE-2022-24328
6.5 - Medium
- February 25, 2022
In JetBrains Hub before 2021.1.13956, an unprivileged user could perform DoS.
In JetBrains Hub before 2021.1.13890
CVE-2022-24327
7.5 - High
- February 25, 2022
In JetBrains Hub before 2021.1.13890, integration with JetBrains Account exposed an API key with excessive permissions.
Incorrect Permission Assignment for Critical Resource
In JetBrains Hub before 2021.1.13690, information disclosure
CVE-2021-43180
7.5 - High
- November 09, 2021
In JetBrains Hub before 2021.1.13690, information disclosure via avatar metadata is possible.
In JetBrains Hub before 2021.1.13690
CVE-2021-43181
6.1 - Medium
- November 09, 2021
In JetBrains Hub before 2021.1.13690, stored XSS is possible.
XSS
In JetBrains Hub before 2021.1.13415, a DoS
CVE-2021-43182
7.5 - High
- November 09, 2021
In JetBrains Hub before 2021.1.13415, a DoS via user information is possible.
In JetBrains Hub before 2021.1.13690
CVE-2021-43183
9.8 - Critical
- November 09, 2021
In JetBrains Hub before 2021.1.13690, the authentication throttling mechanism could be bypassed.
In JetBrains Hub before 2021.1.13389
CVE-2021-36209
9.8 - Critical
- August 06, 2021
In JetBrains Hub before 2021.1.13389, account takeover was possible during password reset.
Weak Password Recovery Mechanism for Forgotten Password
In JetBrains Hub before 2021.1.13262
CVE-2021-37540
6.5 - Medium
- August 06, 2021
In JetBrains Hub before 2021.1.13262, a potentially insufficient CSP for the Widget deployment feature was used.
In JetBrains Hub before 2021.1.13402
CVE-2021-37541
6.1 - Medium
- August 06, 2021
In JetBrains Hub before 2021.1.13402, HTML injection in the password reset email was possible.
Injection
In JetBrains Hub before 2021.1.13079
CVE-2021-31901
7.5 - High
- May 11, 2021
In JetBrains Hub before 2021.1.13079, two-factor authentication wasn't enabled properly for the All Users group.
In JetBrains Hub before 2020.1.12669, information disclosure
CVE-2021-25760
5.3 - Medium
- February 03, 2021
In JetBrains Hub before 2020.1.12669, information disclosure via the public API was possible.
Information Disclosure
In JetBrains Hub before 2020.1.12629, an authenticated user
CVE-2021-25759
6.5 - Medium
- February 03, 2021
In JetBrains Hub before 2020.1.12629, an authenticated user can delete 2FA settings of any other user.
In JetBrains Hub before 2020.1.12629
CVE-2021-25757
6.1 - Medium
- February 03, 2021
In JetBrains Hub before 2020.1.12629, an open redirect was possible.
Open Redirect
In JetBrains Hub before 2020.1.12099
CVE-2020-11691
- April 22, 2020
In JetBrains Hub before 2020.1.12099, content spoofing in the Hub OAuth error message was possible.
In JetBrains Hub versions earlier than 2019.1.11738
CVE-2019-18360
- October 31, 2019
In JetBrains Hub versions earlier than 2019.1.11738, username enumeration was possible through password recovery.
In JetBrains Hub versions earlier than 2018.4.11436
CVE-2019-14955
- October 01, 2019
In JetBrains Hub versions earlier than 2018.4.11436, there was no option to force a user to change the password and no password expiration policy was implemented.
In JetBrains Hub versions earlier than 2018.4.11298, the audit events for SMTPSettings show a cleartext password to the admin user
CVE-2019-12847
- July 03, 2019
In JetBrains Hub versions earlier than 2018.4.11298, the audit events for SMTPSettings show a cleartext password to the admin user. It is only relevant in cases where a password has not changed since 2017, and if the audit log still contains events from before that period.
Stay on top of Security Vulnerabilities
Want an email whenever new vulnerabilities are published for JetBrains Hub or by JetBrains? Click the Watch button to subscribe.
