Description
In JetBrains YouTrack before 2026.2.16593 improper access control allowed reading saved queries and tags
Published: 2026-06-26
Score: 4.3 Medium
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

JetBrains YouTrack installations prior to version 2026.2.16593 contain an improper access control flaw that permits users to view saved queries and tags that they should not be allowed to read. This weakness falls under Access Control Weakness (CWE-862) and can expose sensitive project metadata or configuration details, compromising confidentiality. The vulnerability does not lead to code execution or denial of service, but it enables an actor with legitimate credentials or session to glean information that may assist in further attacks or internal data exposure.

Affected Systems

The flaw affects JetBrains YouTrack across all platforms. Any instance running a version earlier than 2026.2.16593 is potentially vulnerable. Users should verify the exact runtime version and apply updates where necessary.

Risk and Exploitability

The CVSS score is 4.3, indicating a moderate severity. EPSS information is not available and the issue is not listed in the CISA KEV catalog, so exploitation likelihood is considered low to moderate. The likely attack vector involves an authenticated user who requires common access rights that the system incorrectly grants; therefore, an internal or compromised account can exploit the flaw. Given the moderate CVSS and lack of public exploitation evidence, the overall risk remains moderate, but any environment handling sensitive project data should still prioritize remediation.

Generated by OpenCVE AI on June 26, 2026 at 15:06 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade JetBrains YouTrack to version 2026.2.16593 or later, which removes the access control flaw.
  • Reevaluate and tighten permissions for saved queries and tags, ensuring that only authorized users with explicit need can view them; if upgrade is delayed, consider disabling these features or restricting them via configuration to prevent unauthorized access.
  • If upgrading cannot be performed promptly, isolate the affected instances from external network or restrict external access to limit potential data leakage.

Generated by OpenCVE AI on June 26, 2026 at 15:06 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Fri, 26 Jun 2026 17:15:00 +0000

Type Values Removed Values Added
First Time appeared Jetbrains
Jetbrains youtrack
Vendors & Products Jetbrains
Jetbrains youtrack

Fri, 26 Jun 2026 15:30:00 +0000

Type Values Removed Values Added
Title Improper Access Control Allows Read Access to Saved Queries and Tags

Fri, 26 Jun 2026 14:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Fri, 26 Jun 2026 13:30:00 +0000

Type Values Removed Values Added
Description In JetBrains YouTrack before 2026.2.16593 improper access control allowed reading saved queries and tags
Weaknesses CWE-862
References
Metrics cvssV3_1

{'score': 4.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N'}

Subscriptions

Jetbrains Youtrack
cve-icon MITRE

Status: PUBLISHED

Assigner: JetBrains

Published:

Updated: 2026-06-26T13:45:18.602Z

Reserved: 2026-06-26T12:21:24.090Z

Link: CVE-2026-57925

cve-icon Vulnrichment

Updated: 2026-06-26T13:26:47.739Z

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-26T17:00:04Z

Weaknesses