Introduction
A missing authorization check in JetBrains IntelliJ IDEA's Code With Me collaborative development feature allows a guest user to execute commands on the host machine, completely bypassing the permission model that should restrict guests to read-only access. With IntelliJ IDEA serving as the leading Java IDE across an ecosystem of 11.4 million recurring active JetBrains users, this CVSS 8.0 vulnerability represents a meaningful risk to enterprise development environments where collaborative coding sessions are routine.
Technical Information
Root Cause: CWE-862 and the Absent Authorization Check
CVE-2026-49367 is classified under CWE-862: Missing Authorization. This classification is significant because it indicates a complete absence of authorization enforcement, not a flawed or bypassable check (which would be CWE-863: Incorrect Authorization). No middleware, filter, or gatekeeper validates whether a Code With Me guest user has the right to invoke command execution pathways on the host machine.
MITRE's extended description of CWE-862 highlights that authorization weaknesses frequently arise when a single user application is ported to a multi user environment, as developers may not consider that multiple users will have different access rights. This observation maps directly to IntelliJ IDEA's architecture: the IDE was originally a single user desktop application, and the Code With Me feature introduced multi user access without fully extending authorization controls to every code path.
The Code With Me Permission Model
Code With Me is JetBrains' built-in collaborative development feature that enables real time pair programming within IntelliJ IDEA and other JetBrains IDEs. A session involves a host (the IDE owner) and one or more guests who join via an invitation link. The host can assign one of four permission levels:
| Permission Level | File Access | Terminal Access | Run/Execute Actions |
|---|---|---|---|
| Read-only | View only; code can be copied | No | No |
| Edit files | Modify code; host can exclude specific files | No | No |
| Full access | Complete access to all files | Yes | Yes |
| Custom | Fine grained per capability control | Per setting | Per setting |
Guests start with read-only permissions by default and cannot edit files, use the terminal, or execute code without explicit host approval. The vulnerability means a guest could execute commands on the host machine regardless of their assigned permission level, because the authorization check that should enforce the guest's permission boundaries was entirely missing from the command execution code path.
Attack Flow
Based on the CVE description and CWE-862 characteristics, the exploitation follows this sequence:
-
Session Entry: An attacker joins a Code With Me session as a guest. This can occur through obtaining an invitation link (potentially via social engineering) or by being directly invited by a host who does not suspect malicious intent.
-
Authorization Bypass: The guest invokes command execution functionality on the host machine. Due to the missing authorization check, the IDE does not verify whether the guest's permission level (e.g., Read-only) permits this action. CWE-862 commonly enables exploitation through forced browsing (directly accessing resources that lack authorization checks) and API endpoint exploitation (calling functions or endpoints where authorization was never implemented). In this context, the guest likely accesses an internal IDE command execution API or service endpoint that was never gated with guest authorization logic.
-
Command Execution: Commands run on the host operating system with the privileges of the host user. Depending on the host's environment, this could provide access to source code repositories, credentials stored in configuration files, CI/CD pipeline tokens, and the broader network.
Impact Analysis
The consequences span multiple scopes, as documented by MITRE for CWE-862:
| Impact Scope | Consequence | Relevance to CVE-2026-49367 |
|---|---|---|
| Confidentiality | Read application data, files, or directories | Guest could read sensitive source code, configuration, or credentials on the host |
| Integrity | Modify application data, files, or directories | Guest could alter source code, inject malicious logic, or modify build artifacts |
| Access Control | Gain privileges or assume identity; bypass protection mechanism | Guest escalates from read-only to command execution, bypassing the permission model |
| Availability | DoS: crash, exit, or restart; resource consumption | Guest could terminate processes or consume host resources |
Relationship to CVE-2025-57728
A closely related vulnerability, CVE-2025-57728, was published on August 20, 2025, affecting IntelliJ IDEA before 2025.2. Classified as CWE-863 (Incorrect Authorization), it allowed a Code With Me guest to discover hidden files. The progression from CWE-863 (a check exists but is flawed) to CWE-862 (no check exists at all) suggests that the Code With Me authorization model may have command execution pathways that were never instrumented with authorization logic, rather than paths where authorization was implemented incorrectly. This escalation pattern warrants a broader audit of all guest accessible surfaces in the IDE.
Affected Systems and Versions
All versions of JetBrains IntelliJ IDEA before 2026.1.1 are affected. The NVD entry uses the generic description "IntelliJ IDEA before 2026.1.1" without specifying edition, which suggests both Community and Ultimate editions are impacted. The fix is included in version 2026.1.1.
The vulnerability specifically affects installations where the Code With Me feature is enabled and in use. Installations that have never used Code With Me or have the plugin disabled are not exposed to this particular attack vector, though upgrading is still recommended.
Vendor Security History
JetBrains has accumulated several security issues in IntelliJ IDEA over the past two years, with a notable concentration in authorization and access control:
| CVE | Description | CWE | Affected Versions | Published |
|---|---|---|---|---|
| CVE-2026-49367 | Command execution via guest user account | CWE-862 (Missing Authorization) | Before 2026.1.1 | 2026-05-29 |
| CVE-2026-41882 | Arbitrary local file read | Not specified | Before 2024.3.7.1, 2025.1.7.1, 2025.2.6.2 | 2026-04-30 |
| CVE-2025-57728 | Guest discovers hidden files | CWE-863 (Incorrect Authorization) | Before 2025.2 | 2025-08-20 |
| CVE-2025-32054 | Source code logged in idea.log file | Not specified | Before 2024.3, 2024.2.4 | 2025 |
| CVE-2025-68269 | Missing confirmation for opening untrusted remote projects | Not specified | Before 2025.3 | 2025 |
| CVE-2022-46825 | Built-in web server path traversal allows arbitrary file read | Not specified | Not specified | 2022 |
The recurrence of guest related authorization failures (CVE-2025-57728 and CVE-2026-49367) specifically in the Code With Me feature indicates a systemic gap in the collaborative functionality's authorization model. JetBrains does maintain a mature CVE response process, operating its own CVE Numbering Authority and publishing remediation guidance promptly, but the pattern suggests that the Code With Me feature may benefit from a comprehensive authorization framework review rather than individual fixes.
In January 2021, The New York Times reported that unknown parties may have embedded malware in JetBrains TeamCity software in connection with the SolarWinds incident. JetBrains stated they had not been contacted by any government or security agency and had not taken part in or been involved in the attack. While unresolved, this incident placed JetBrains in the spotlight of supply chain security concerns.
References
- NVD: CVE-2026-49367
- JetBrains Fixed Security Issues
- JetBrains Privacy and Security
- CWE-862: Missing Authorization
- NVD: CVE-2025-57728 (Prior Code With Me Authorization Issue)
- NVD: CVE-2026-41882
- Code With Me Enterprise User Guide
- Proofpoint: 2026 Vulnerability Exploitation in the Wild
- CTI Labs: JetBrains IntelliJ IDEA Vulnerability Demands Patching
- Tenable: JetBrains IntelliJ IDEA Arbitrary Local File Read (CVE-2026-41882)
- JetBrains Blog: Meet Code With Me
- Understanding CWE-862: Missing Authorization (Medium)
- JetBrains Wikipedia
- JetBrains Annual Highlights 2023



