Description
In JetBrains YouTrack before 2025.3.121962 apps were able to send requests to the app permissions endpoint
Published: 2026-02-25
Score: 8.8 High
EPSS: < 1% Very Low
KEV: No
Impact: Unauthorized Modification of App Permissions
Action: Apply Patch
AI Analysis

Impact

JetBrains YouTrack versions earlier than 2025.3.121962 allow applications to send requests to the app permissions endpoint without proper authorization. This flaw can enable an attacker who can influence or intercept app traffic to modify or expand application permissions, leading to privilege escalation within the YouTrack system or exposure of sensitive data. The weakness identified is a missing authorization control (CWE-862).

Affected Systems

JetBrains YouTrack prior to version 2025.3.121962 is affected. Users must verify that their installations fall below this version number.

Risk and Exploitability

The vulnerability is rated high with a CVSS score of 8.8 and a very low EPSS score of less than 1 percent, indicating few publicly known exploitation efforts at this time. The CVE is not listed in CISA’s KEV catalog. Based on the description, the likely attack vector is an internal or remote attacker able to send crafted HTTP requests to the permissions endpoint directly, possibly through a compromised application or an insider with access to the YouTrack API. The lack of authorization controls allows such requests to succeed, potentially granting elevated privileges or unauthorized data access.

Generated by OpenCVE AI on April 17, 2026 at 15:18 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade YouTrack to version 2025.3.121962 or later
  • If an upgrade is not immediately possible, configure network or application controls to block or log unseen requests to the app permissions endpoint
  • Enable auditing and monitoring of permission changes to detect unauthorized modifications promptly

Generated by OpenCVE AI on April 17, 2026 at 15:18 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Fri, 17 Apr 2026 15:45:00 +0000

Type Values Removed Values Added
Title Unauthorized Access to App Permissions in JetBrains YouTrack

Thu, 26 Feb 2026 16:00:00 +0000

Type Values Removed Values Added
CPEs cpe:2.3:a:jetbrains:youtrack:*:*:*:*:*:*:*:*

Thu, 26 Feb 2026 13:30:00 +0000

Type Values Removed Values Added
First Time appeared Jetbrains
Jetbrains youtrack
Vendors & Products Jetbrains
Jetbrains youtrack

Wed, 25 Feb 2026 15:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Wed, 25 Feb 2026 13:30:00 +0000

Type Values Removed Values Added
Description In JetBrains YouTrack before 2025.3.121962 apps were able to send requests to the app permissions endpoint
Weaknesses CWE-862
References
Metrics cvssV3_1

{'score': 8.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H'}

Subscriptions

Jetbrains Youtrack
cve-icon MITRE

Status: PUBLISHED

Assigner: JetBrains

Published:

Updated: 2026-02-26T14:44:06.777Z

Reserved: 2026-02-25T12:35:11.990Z

Link: CVE-2026-28193

cve-icon Vulnrichment

Updated: 2026-02-25T15:07:13.693Z

cve-icon NVD

Status : Analyzed

Published: 2026-02-25T14:16:20.597

Modified: 2026-02-26T15:59:53.567

Link: CVE-2026-28193

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-17T15:30:06Z

Weaknesses