Description
In JetBrains YouTrack before 2025.3.119033 access tokens could be exposed in Mailbox logs
Published: 2026-02-09
Score: 6.5 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Confidentiality compromise via exposed access tokens
Action: Update
AI Analysis

Impact

In JetBrains YouTrack versions prior to 2025.3.119033, the system writes access tokens to mailbox logs without sanitization, allowing potential extraction of tokens. An attacker who can read these logs could obtain credentials that provide full access to the YouTrack instance, compromising confidentiality and potentially enabling further actions such as data exfiltration or unauthorized modifications. The weakness aligns with CWE-532, which describes insecure log handling.

Affected Systems

Affected vendors and products include JetBrains YouTrack. Any installation of YouTrack earlier than version 2025.3.119033 is vulnerable. The specific version boundary is provided by the description: before 2025.3.119033. No other product or vendor listings are noted.

Risk and Exploitability

The CVSS base score of 6.5 reflects a moderate severity with potential impact on confidentiality. EPSS indicates a low likelihood of exploitation (<1%). The vulnerability is not yet listed in CISA's KEV catalog, suggesting it is not a widely exploited or known, targeted threat. Likely attack vectors involve reading mailbox logs, which may be accessible to authenticated users or system administrators, so the risk is higher for organizations with broad log access permissions.

Generated by OpenCVE AI on April 17, 2026 at 21:28 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade YouTrack to version 2025.3.119033 or newer to eliminate the insecure logging behavior.
  • Immediately rotate or regenerate existing access tokens and enforce least privilege for token usage.
  • Implement log sanitization or review log configuration to ensure no sensitive data is recorded; consider disabling detailed mailbox logging until verified secure.
  • Monitor log files for unexpected token entries and review access controls on log repositories.

Generated by OpenCVE AI on April 17, 2026 at 21:28 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Fri, 17 Apr 2026 21:45:00 +0000

Type Values Removed Values Added
Title YouTrack Access Tokens Exposed in Mailbox Logs

Wed, 18 Feb 2026 21:00:00 +0000

Type Values Removed Values Added
CPEs cpe:2.3:a:jetbrains:youtrack:*:*:*:*:*:*:*:*

Tue, 10 Feb 2026 12:45:00 +0000

Type Values Removed Values Added
First Time appeared Jetbrains
Jetbrains youtrack
Vendors & Products Jetbrains
Jetbrains youtrack

Mon, 09 Feb 2026 14:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Mon, 09 Feb 2026 11:00:00 +0000

Type Values Removed Values Added
Description In JetBrains YouTrack before 2025.3.119033 access tokens could be exposed in Mailbox logs
Weaknesses CWE-532
References
Metrics cvssV3_1

{'score': 6.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N'}

Subscriptions

Jetbrains Youtrack
cve-icon MITRE

Status: PUBLISHED

Assigner: JetBrains

Published:

Updated: 2026-02-09T13:46:19.192Z

Reserved: 2026-02-06T14:16:36.496Z

Link: CVE-2026-25846

cve-icon Vulnrichment

Updated: 2026-02-09T13:45:39.480Z

cve-icon NVD

Status : Analyzed

Published: 2026-02-09T11:16:14.787

Modified: 2026-02-18T20:48:14.693

Link: CVE-2026-25846

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-17T21:30:28Z

Weaknesses