Description
In JetBrains YouTrack before 2026.2.16593 improper access control allowed reading users' private data via the comment templates endpoint
Published: 2026-06-26
Score: 4.3 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

JetBrains YouTrack hosts a comment templates endpoint that, in versions prior to 2026.2.16593, does not enforce proper authorization checks. This inadequate authorization allows any user who can reach the endpoint to read private data associated with other users. The flaw is an example of CWE‑862, where access control is insufficient, and a successful exploitation results in a breach of confidentiality, exposing sensitive user information that was expected to remain private.

Affected Systems

The affected product is JetBrains YouTrack. All releases before 2026.2.16593 are vulnerable; users of those older versions should verify if they are impacted. No other products or vendors are listed as affected.

Risk and Exploitability

The CVSS score of 4.3 indicates a moderate severity when considering impact, but the lack of an EPSS score and KEV listing suggests that widespread exploitation has not been observed yet. The vulnerability is reachable via the web API; an attacker would need network access to the YouTrack server or a compromised client session to hit the comment templates endpoint. Because the flaw allows data disclosure without requiring elevated privileges, the risk is primarily to privacy and confidentiality, rather than to system integrity or availability.

Generated by OpenCVE AI on June 26, 2026 at 14:37 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade JetBrains YouTrack to version 2026.2.16593 or later, which includes the authorization fix for the comment templates endpoint.
  • Ensure that all API endpoints, particularly the comment templates endpoint, perform proper user authentication and that only authorized users can access private data. This may involve reviewing the access control logic or configuring access restrictions within your deployment.
  • If an immediate upgrade is not possible, restrict network access to the YouTrack API server to trusted internal networks only and monitor for unauthorized attempts to reach the comment templates endpoint.

Generated by OpenCVE AI on June 26, 2026 at 14:37 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Fri, 26 Jun 2026 17:00:00 +0000

Type Values Removed Values Added
First Time appeared Jetbrains
Jetbrains youtrack
Vendors & Products Jetbrains
Jetbrains youtrack

Fri, 26 Jun 2026 15:00:00 +0000

Type Values Removed Values Added
Title Improper Access Control in JetBrains YouTrack Exposes User Private Data via Comment Templates Endpoint

Fri, 26 Jun 2026 14:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Fri, 26 Jun 2026 13:30:00 +0000

Type Values Removed Values Added
Description In JetBrains YouTrack before 2026.2.16593 improper access control allowed reading users' private data via the comment templates endpoint
Weaknesses CWE-862
References
Metrics cvssV3_1

{'score': 4.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N'}

Subscriptions

Jetbrains Youtrack
cve-icon MITRE

Status: PUBLISHED

Assigner: JetBrains

Published:

Updated: 2026-06-26T13:46:22.254Z

Reserved: 2026-06-26T12:21:22.954Z

Link: CVE-2026-57921

cve-icon Vulnrichment

Updated: 2026-06-26T13:28:19.956Z

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-26T16:45:03Z

Weaknesses