JetBrains Hub Authentication Bypass Vulnerability Allowing Account Takeover via OAuth Integration

An authentication bypass vulnerability has been identified in JetBrains Hub versions prior to 2026.1. This vulnerability allows users to bypass two-factor authentication (2FA) and perform administrative actions by exploiting a flaw in the handling of sign-in requests for accounts linked to Outlook email addresses via GitHub Single Sign-On (SSO).

Impact

Exploitation of this vulnerability could lead to unauthorized administrative access, allowing an attacker to perform privileged actions within the application.

Reproduction

To reproduce this vulnerability, sign in to JetBrains Hub using a GitHub account linked to an Outlook email address. During the authentication process, the application fails to properly enforce two-factor authentication, allowing access to the account without the required verification. Once signed in, the user can perform administrative actions, exploiting the authentication bypass.

Remediation

Users are advised to update to JetBrains Hub version 2026.1 or later, where this vulnerability has been addressed.