CVE-2026-53914 (CVSS 6.7) — In JetBrains Kotlin before 2.4.20 code execution was possible via unsafe deserialization in the build cache metadata

A new vulnerability, CVE-2026-53914, has been published with a CVSS score of 6.7, affecting JetBrains Kotlin versions prior to 2.4.20. The issue allows code execution through unsafe deserialization in the build cache metadata. This means an attacker could exploit the way Kotlin processes cached build data to run arbitrary code on a system, potentially compromising the integrity of software builds and the environments where they occur.

Organizations using JetBrains Kotlin for software development are affected, particularly those in sectors with strict regulatory compliance requirements such as finance, healthcare, and critical infrastructure. Any entity that relies on Kotlin-based build pipelines, continuous integration systems, or development toolchains should consider this a medium-severity risk. The vulnerability could lead to supply chain attacks if malicious code is injected during the build process, which may violate data protection and software integrity obligations under regulations like GDPR, NIS2, or sector-specific standards.

Compliance teams should immediately verify that all Kotlin installations and build environments are updated to version 2.4.20 or later. They should also review their vulnerability management processes to ensure this CVE is tracked and remediated within their defined risk acceptance timelines. Additionally, teams should assess whether any build cache metadata has been exposed to untrusted sources and consider implementing stricter access controls on build artifacts and caching mechanisms.