Description
In JetBrains YouTrack before 2026.1.13570 improper access control allowed low-privileged users to modify service accounts
Published: 2026-05-29
Score: 6.5 Medium
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability resides in JetBrains YouTrack versions prior to 2026.1.13570, where an authorization flaw permits authenticated low‑privileged users to alter service account settings. This abuse can change account permissions, potentially elevating their influence over system operations, and compromising confidentiality, integrity, and availability of the platform. The weakness corresponds to CWE‑862.

Affected Systems

Affected systems are installations of JetBrains YouTrack running any version earlier than 2026.1.13570. The issue has been identified by the JetBrains CNA and pertains exclusively to that product line.

Risk and Exploitability

With a CVSS base score of 6.5, the vulnerability presents a moderate severity risk. The EPSS score is not available, and the flaw is not currently catalogued in the CISA KEV list. Attacks would require an authenticated session; a low‑privileged user could leverage the exposed interface to modify service accounts, implying that the attack vector is likely authenticated over the web application. The absence of a publicly available exploit does not eliminate the risk, especially in environments where low‑privileged accounts have broad privileges.

Generated by OpenCVE AI on May 29, 2026 at 19:35 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade JetBrains YouTrack to version 2026.1.13570 or later.
  • Revoke or restrict permissions for low‑privileged users, ensuring that only authorized roles can modify service account configurations.
  • Audit and monitor service account changes for unauthorized activity.

Generated by OpenCVE AI on May 29, 2026 at 19:35 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Fri, 29 May 2026 20:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Fri, 29 May 2026 20:00:00 +0000

Type Values Removed Values Added
Title Access Control Bypass in JetBrains YouTrack
First Time appeared Jetbrains
Jetbrains youtrack
Vendors & Products Jetbrains
Jetbrains youtrack

Fri, 29 May 2026 18:30:00 +0000

Type Values Removed Values Added
Description In JetBrains YouTrack before 2026.1.13570 improper access control allowed low-privileged users to modify service accounts
Weaknesses CWE-862
References
Metrics cvssV3_1

{'score': 6.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N'}

Subscriptions

Jetbrains Youtrack
cve-icon MITRE

Status: PUBLISHED

Assigner: JetBrains

Published:

Updated: 2026-05-29T19:27:11.563Z

Reserved: 2026-05-29T18:08:00.467Z

Link: CVE-2026-49385

cve-icon Vulnrichment

Updated: 2026-05-29T19:27:06.793Z

cve-icon NVD

Status : Awaiting Analysis

Published: 2026-05-29T19:16:28.567

Modified: 2026-05-29T20:11:15.977

Link: CVE-2026-49385

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-29T19:45:06Z

Weaknesses