A vulnerability in JetBrains YouTrack allows a disclosure of project settings through the MCP interface. This flaw results in inadvertent exposure of potentially sensitive configuration information. The weakness is rooted in missing authorization checks, as identified by CWE‑862, which permits unauthenticated or improperly authorized users to retrieve project configuration data that should be protected. The vendor classification indicates a low security impact, reflected by a CVSS score of 3.1.

JetBrains YouTrack versions prior to 2026.2.16593 are affected. Users should verify that their installation is older than this release before applying remediation.

The CVSS score of 3.1 rates this vulnerability as low severity, and the absence of an EPSS score indicates that no current exploitation data is publicly known. The flaw is not listed in the CISA KeV catalog, suggesting there have been no confirmed large‑scale attacks at this time. The likely attack vector involves accessing the MCP endpoint—presumably via an authenticated session—though the exact requirements are not documented in the advisory. Because the flaw permits disclosure of configuration data, it presents a risk of information leakage, given that project settings may contain details about workflows, dependencies, or integration endpoints. The overall risk level remains low, but the exposure could aid a future attack if combined with additional privileges or other vulnerabilities.