IntelliJ IDEA built-in web server leaks arbitrary local files

TL;DR - IntelliJ IDEA's built-in web server resolves links before validating file access, letting an attacker read arbitrary local files (CWE-59, CVSS 7.4 High). User interaction is required, but the impact is high-confidentiality. Update to the fixed build for your release line.

What happened

IntelliJ IDEA is JetBrains' flagship IDE. It ships a built-in web server that IDE features use to serve local content over HTTP - previews, live reload, and similar tooling. That server is the problem here.

CVE-2026-41882 describes a link resolution vulnerability (CWE-59): the server resolves symlinks or path references before enforcing file-access controls, meaning a crafted request can escape the intended serving root and read files anywhere on the local filesystem. The CVSS 3.1 score is 7.4 High (CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:N/A:N). No privileges required, but user interaction is. Scope is changed, confidentiality impact is high.

Developer workstations are soft targets. Local file disclosure sounds contained until you factor in what sits on those machines: source code, .env files, SSH keys, cloud credentials, CI tokens. Any of those can pivot directly into production environments.

Who is impacted

• Developers and CI runners using any affected IntelliJ IDEA build.
• Environments where the IDE's built-in web server is reachable by an attacker under the CVE's threat model. The CVSS vector specifies network reachability and user interaction.

What to do now

• Update IntelliJ IDEA to the fixed build for your release line: 2024.3.7.1, 2025.1.7.1, 2025.2.6.2, 2025.3.4.1, or 2026.1.1.
• Inventory every engineering endpoint and CI runner that has IntelliJ IDEA installed. Prioritise upgrades on shared dev hosts, remote dev environments, and machines holding elevated credentials.
• While patching, reduce exposure at the network layer:
  • restrict inbound access to local developer services at the host firewall and network edge where feasible
  • treat local secrets on developer machines as potentially exposed - rotate credentials if you have any reason to suspect they were reachable
• To scope potential impact, determine whether the built-in web server was reachable in your environment and what sensitive files were present on affected hosts.