preloader

· devops security digital-security cve ci-cd supply-chain europe patch-management

JetBrains Patches a 9.6-Severity IntelliJ Flaw and Two TeamCity Bugs the Same Week: Patch Your Dev Tooling, Not Just Your Servers

Source: JetBrains Security Advisories / NVD

JetBrains, the Czech-headquartered maker of IntelliJ IDEA, TeamCity, and a large share of the IDEs and CI/CD tooling running across European engineering teams, disclosed three vulnerabilities on July 10, 2026. The most serious is CVE-2026-59792, a critical 9.6-severity flaw in IntelliJ IDEA versions before 2026.1.4 and 2026.2, which enables code execution through path traversal in how the IDE handles project workspace IDs. The other two affect TeamCity before 2026.1.2: CVE-2026-59793, an 8.8-severity arbitrary file access flaw reachable through the Perforce VCS integration, and CVE-2026-59794, a 7.3-severity stored cross-site scripting flaw on the cloud profile page triggered via agent-reported data.

Why an IDE vulnerability deserves the same urgency as a server one

A 9.6 severity score on a developer’s IDE tends to get less attention than the same score on an internet-facing server, and that is a mistake. IntelliJ IDEA runs on the machine that has your source code, your VCS credentials, your local environment variables, and frequently a live connection into your CI/CD pipeline. A path traversal flaw that leads to code execution through project workspace handling means opening or interacting with a malicious or compromised project, something developers do routinely when cloning a colleague’s branch, reviewing a pull request locally, or evaluating an open-source dependency, could be enough to hand an attacker code execution on the single machine most likely to have write access to your production pipeline.

Why the TeamCity flaws matter even at a lower severity

TeamCity is JetBrains’ CI/CD server, and both flaws sit inside functionality that is either integration-facing or attacker-influenced by design. The Perforce VCS integration bug allows arbitrary file access, a serious problem on a system that by definition holds build artifacts, deployment credentials, and pipeline configuration. The stored XSS flaw on the cloud profile page is triggered by agent-reported data, meaning a compromised or malicious build agent, not just a malicious human user, can plant the payload. TeamCity has already had a rough year for high-severity CVEs, and CI/CD servers remain one of the most consistently targeted categories of DevOps infrastructure precisely because compromising one gives an attacker a foothold in every pipeline it touches.

What to actually do this week

Update IntelliJ IDEA to 2026.1.4 or 2026.2 across every developer machine in your organisation, not just the ones your asset inventory happens to track, IDE updates are notoriously under-managed compared to OS and server patching. Update TeamCity to 2026.1.2 or later, and if you use the Perforce VCS integration specifically, treat that upgrade as non-optional rather than scheduled for the next maintenance window. Review TeamCity build agent permissions and confirm agents cannot report arbitrary data that reaches privileged UI contexts, since the stored XSS path depends on exactly that trust relationship.

If you want help auditing which developer tools and CI/CD systems in your environment are running unpatched versions, or building a patch management process that actually covers IDEs and build agents instead of just production servers, contact Excello Digital. We help engineering teams close the patching blind spots that sit closest to the source code itself.

These news items are automatically aggregated from industry sources and are not individually reviewed. Any inaccuracies are unintentional — let us know and we'll correct or remove it.

We’ll help you resolve your infrastructure challenges

Our team of experts is ready to help you with your infrastructure challenges. We’ll give you honest and personal treatment. Get in touch to learn more.

Get in touch!