From Project Guidance to Command Execution

Mindgard discovered a vulnerability in JetBrains Junie, the AI coding agent integrated into JetBrains development environments, that could allow a malicious project to execute commands on a developer’s system. The vulnerability, tracked as CVE-2026-41153, was discovered by Aaron Portnoy of Mindgard as part of our ongoing work evaluating the security of AI-assisted developer tooling.

The issue centered on how Junie handled project-level instruction files. Junie reads a guidelines.md file inside a project’s .junie directory and treats its contents as additional user-level instructions when handling requests through the chat interface. Mindgard found that a malicious repository could place instructions in this file that directed Junie to run a shell command in the background. When framed this way, the command could bypass expected read-only and human-in-the-loop approval checks.

‍

‍

In the proof of concept, the malicious guidelines file caused Junie to exfiltrate the contents of a project’s .env file through an HTTP POST request. The test was performed on Windows against JetBrains PyCharm 2025.2.4 with Junie version 252.487.72. JetBrains subsequently fixed the issue, and CVE-2026-41153 was issued.

This post explains what Mindgard found, why the behavior matters, and what this class of vulnerability says about the evolving trust model inside AI-assisted development environments.

‍

The Issue: Command Execution via Malicious Project File

The vulnerability tracked as CVE-2026-41153 affects JetBrains Junie and how it handles project-level guidance files inside AI-assisted development workflows. Specifically, Mindgard found that command execution was possible through a malicious .junie/guidelines.md file placed inside a project repository.

This matters because Junie is not simply reading static documentation. The AI coding agent treats the contents of the project’s guidelines file as additional user-level instructions when responding to chat requests. In normal use, that mechanism helps teams provide project-specific context, coding preferences, and workflow guidance. In a malicious repository, however, the same mechanism can become an instruction channel controlled by an attacker.

Mindgard’s research showed that if the guidelines file instructed Junie to run a command in the background, the command could bypass read-only and human-in-the-loop checks that would otherwise be expected to protect the user. In the proof of concept, the malicious guidelines instructed Junie to use its terminal tooling to run a PowerShell command that posted the contents of a .env file to a local collection endpoint. The result demonstrated that sensitive project data, including secrets stored in environment files, could be accessed and transmitted without the user explicitly approving the command.

The important point is not the specific .env file used in the demonstration. The broader issue is that a project-controlled instruction file could move from passive guidance into active command execution. By creating a repository with a malicious .junie/guidelines.md file, an attacker could create a path to arbitrary code execution on a developer’s system, with the privileges of the user running the IDE.

While the vulnerability is straightforward in isolation, it exposes a deeper architectural shift. Modern IDEs, especially those embedding AI assistants like Junie, are no longer passive tools. They are active, extensible platforms that interpret instructions, execute commands, inspect files, and automate development tasks inside environments that often contain source code, credentials, build systems, and deployment access.

That changes the trust boundary. In a conventional development workflow, a project file may configure the editor or provide documentation. In an AI-assisted workflow, a project file may shape the behavior of an agent that has access to tools. When that agent can invoke terminal commands, the security model must account not only for what files are loaded, but for how instructions inside those files are interpreted and acted upon.

‍

Why This Class of Issue Matters

At its core, this vulnerability stems from insufficient control over how semi-trusted project input is translated into agent behavior. In a traditional software tool, a configuration file might be parsed according to a narrow schema. In an AI-augmented IDE, free-form instructions can influence how the agent reasons, which tools it chooses, and whether it attempts to complete a task without user intervention.

That creates a blurred trust boundary. Inputs can originate from remote repositories, project templates, dependency examples, generated files, or other developer-supplied content. Once an AI coding agent treats those inputs as instructions, malicious content can propagate further than expected.

This is especially important in developer environments because of where they sit. IDEs and AI coding assistants are adjacent to source code, secrets, local credentials, package managers, CI/CD configuration, cloud tooling, and deployment workflows. A compromise inside this environment does not just affect the editor. It can affect every application, repository, and downstream system the developer can access.

The risk also compounds with automation. AI-assisted development tools increasingly help generate code, run tests, install dependencies, modify files, and execute commands. Those capabilities are useful precisely because they reduce friction. But when trust boundaries are weak, the same reduction in friction can help an attacker move from project content to system behavior.

CVE-2026-41153 is therefore not just a JetBrains issue. It is part of a broader pattern Mindgard continues to observe across AI-enabled development environments: project-controlled content can influence AI agents in ways that traditional developer tooling did not anticipate.

‍

JetBrains Response and Remediation

Mindgard reported the vulnerability to JetBrains through coordinated disclosure. According to the disclosure notes, JetBrains fixed the issue in December 2025. The vulnerability was assigned CVE-2026-41153 and credited to Aaron Portnoy of Mindgard.

From a security engineering perspective, the expected remediation is to ensure that project-level guidance cannot be used to bypass approval controls or convert passive instructions into unsafe command execution. AI coding agents need clear enforcement boundaries between:

• project guidance and user intent
• read-only behavior and command execution
• foreground actions and background execution
• trusted configuration and repository-supplied content
• AI-generated plans and actions requiring explicit user approval

JetBrains’ fix addresses the specific vulnerability, but the broader challenge remains for all vendors building AI-assisted developer tools. These systems need to treat workspace content as potentially hostile, especially when that content can shape agent behavior or influence tool use.

For organizations, patching remains the immediate priority. Teams using JetBrains Junie should ensure they are running a version that includes the December 2025 fix. They should also review how AI-assisted development features are enabled, how IDE updates are managed, and whether developers are opening untrusted repositories in environments that contain secrets or production access.

‍

Why This Matters Now

For organizations relying on AI IDE tools, the risk is not limited to this single CVE. It represents a broader shift in where security boundaries exist. Developer environments are now part of the production attack surface, especially as AI accelerates development cycles and increases reliance on automated workflows.

From a business perspective, this introduces several challenges:

Hidden exposure: Many organizations do not have visibility into which IDEs, plugins, AI coding assistants, or agentic development tools are in use across their developer base.

Expanded blast radius: A compromise in a developer environment can affect multiple applications, repositories, credentials, and pipelines at once.

Approval controls that may not behave as expected: Human-in-the-loop controls are only effective when they are consistently enforced across all execution paths, including background operations and agent-mediated workflows.

Faster attack cycles: AI-assisted development increases speed. That speed benefits defenders and builders, but it can also accelerate attacker workflows when malicious instructions are introduced into trusted development contexts.

Compliance and governance gaps: Traditional controls were not designed for AI agents that interpret project content, make decisions, and execute actions inside development environments.

For companies using JetBrains products, immediate steps should include validating patch deployment, auditing Junie usage, reviewing plugin and IDE governance, and limiting exposure to untrusted repositories in environments with sensitive credentials. Beyond that, organizations need to rethink how they monitor and secure developer environments as part of their broader application security strategy.

‍

Closing Thoughts

CVE-2026-41153 highlights a recurring lesson from Mindgard’s research into AI-assisted development tools: when AI agents are added to developer environments, old assumptions about project files, configuration, and user approval no longer hold.

A file that looks like local project guidance can become an instruction source. An instruction source can influence an agent. An agent with tool access can execute commands. And commands executed inside a developer environment can reach source code, secrets, and systems that matter.

JetBrains has fixed this issue, and organizations should apply the relevant updates. But the underlying pattern extends beyond a single vendor. As IDEs continue to adopt richer AI integrations, the trust model for workspace content must evolve with them.

Mindgard is publishing this disclosure to document the vulnerability we found, recognize the remediation, and help security teams understand the emerging risks created when AI coding agents operate across code, tools, and execution environments.

‍

Timeline