Description
In JetBrains YouTrack before 2026.2.16593 default role configuration exposed excessive user profile details
Published: 2026-06-26
Score: 4.3 Medium
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

In JetBrains YouTrack versions prior to 2026.2.16593, the default role configuration exposes excessive user profile details. This allows a user with the default role to view more personal information than intended, leading to privacy violations. The weakness is classified as CWE‑276, Insecure Permissions.

Affected Systems

The vulnerability affects JetBrains YouTrack. All releases before 2026.2.16593 inherit this flaw, as the issue originates from the default role settings bundled with the product.

Risk and Exploitability

The CVSS base score of 4.3 indicates moderate impact. EPSS is not available and the flaw is not listed in CISA KEV, suggesting limited, if any, known exploit activity. The likely attack vector involves authenticating to the application and accessing the role configuration or user profiles; no special privilege escalation is required beyond the default role. Organizations not using the default role or that have already patched are not affected.

Generated by OpenCVE AI on June 26, 2026 at 14:37 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade JetBrains YouTrack to version 2026.2.16593 or newer.
  • If an upgrade cannot be performed immediately, adjust the default role configuration to limit the visibility of user profile fields that should remain private.
  • Perform an audit of exposed profile information and implement additional privacy controls to ensure only necessary data is accessible.

Generated by OpenCVE AI on June 26, 2026 at 14:37 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Fri, 26 Jun 2026 17:15:00 +0000

Type Values Removed Values Added
First Time appeared Jetbrains
Jetbrains youtrack
Vendors & Products Jetbrains
Jetbrains youtrack

Fri, 26 Jun 2026 15:00:00 +0000

Type Values Removed Values Added
Title Excessive User Profile Data Exposure through Default Role Configuration

Fri, 26 Jun 2026 14:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Fri, 26 Jun 2026 13:30:00 +0000

Type Values Removed Values Added
Description In JetBrains YouTrack before 2026.2.16593 default role configuration exposed excessive user profile details
Weaknesses CWE-276
References
Metrics cvssV3_1

{'score': 4.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N'}

Subscriptions

Jetbrains Youtrack
cve-icon MITRE

Status: PUBLISHED

Assigner: JetBrains

Published:

Updated: 2026-06-26T13:45:33.441Z

Reserved: 2026-06-26T12:21:23.827Z

Link: CVE-2026-57924

cve-icon Vulnrichment

Updated: 2026-06-26T13:27:10.018Z

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-26T17:00:04Z

Weaknesses
  • CWE-276

    Incorrect Default Permissions