Description
In JetBrains YouTrack before 2026.2.16593 improper authorisation in the app configurations endpoint allowed modifying project settings
Published: 2026-06-26
Score: 5.3 Medium
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability arises from an improper authorization check in the YouTrack application configurations endpoint. When accessed, the endpoint allows an authenticated user to change project settings without sufficient privilege validation. This flaw enables an attacker to modify configuration parameters such as project permissions, workflow rules, and issue categorization, potentially altering the behavior of projects and affecting multiple users in the organization. The weakness corresponds to CWE-862.

Affected Systems

JetBrains YouTrack installations with versions earlier than 2026.2.16593 are affected. Any instance that has not upgraded to a version released on or after 2026.2.16593 remains vulnerable.

Risk and Exploitability

The CVSS score of 5.3 indicates a medium severity vulnerability. The EPSS score is not available, so the overall exploitation probability cannot be quantified. The vulnerability is not listed in the CISA KEV catalog, suggesting that there is no confirmed widespread exploitation. Attackers would need an authenticated session, and the likely attack vector is remote HTTP access to the configurations API. Once authenticated, the lack of proper authorization allows the attacker to alter project settings across the instance.

Generated by OpenCVE AI on June 26, 2026 at 14:37 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade JetBrains YouTrack to version 2026.2.16593 or later to remove the authorization flaw
  • Restrict privileged roles and enforce least‑privilege principles for users who can access project configuration APIs
  • Enable auditing or logging on configuration changes to detect unauthorized alterations

Generated by OpenCVE AI on June 26, 2026 at 14:37 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Fri, 26 Jun 2026 17:30:00 +0000

Type Values Removed Values Added
First Time appeared Jetbrains
Jetbrains youtrack
Vendors & Products Jetbrains
Jetbrains youtrack

Fri, 26 Jun 2026 15:00:00 +0000

Type Values Removed Values Added
Title Improper Authorization in YouTrack Project Configuration Endpoint

Fri, 26 Jun 2026 14:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Fri, 26 Jun 2026 13:30:00 +0000

Type Values Removed Values Added
Description In JetBrains YouTrack before 2026.2.16593 improper authorisation in the app configurations endpoint allowed modifying project settings
Weaknesses CWE-862
References
Metrics cvssV3_1

{'score': 5.3, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:H/A:N'}

Subscriptions

Jetbrains Youtrack
cve-icon MITRE

Status: PUBLISHED

Assigner: JetBrains

Published:

Updated: 2026-06-26T13:45:47.920Z

Reserved: 2026-06-26T12:21:23.467Z

Link: CVE-2026-57923

cve-icon Vulnrichment

Updated: 2026-06-26T13:27:29.837Z

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-26T17:15:04Z

Weaknesses