CVE-2026-49369: JetBrains YouTrack Information Disclosure in Users and Groups Pages
JetBrains YouTrack versions before 2026.1.13162 contained a flaw that allowed authenticated users to access sensitive information about other users and groups they shouldn't be able to see. The vulnerability is limited to the Users and Groups administrative pages and requires valid login credentials to exploit. This is a straightforward authorization issue where the application failed to properly restrict who could view certain user and group data.
Source data · NVD / CISA · public domain
- CVSS
- 3.1 · 4.3 MEDIUM · CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N
- Weaknesses (CWE)
- CWE-863
- Affected products
- 1 configuration(s)
- Published / Modified
- 2026-05-29 / 2026-06-17
NVD description (verbatim)
In JetBrains YouTrack before 2026.1.13162 information disclosure was possible on Users and Groups pages
1 reference(s) · View on NVD →
SEC.co analysis · AI-assisted, reviewed against source
Technical summary
CVE-2026-49369 is an information disclosure vulnerability stemming from improper access control (CWE-863) in JetBrains YouTrack's administrative interface. The flaw permits authenticated users with lower privilege levels to retrieve unauthorized information from the Users and Groups management pages. The vulnerability does not require user interaction and operates over the network. The CVSS 3.1 vector (AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N) reflects a network-accessible, low-complexity attack requiring only standard login credentials, with limited confidentiality impact and no integrity or availability compromise.
Business impact
The exposure of user and group information can facilitate social engineering, privilege escalation planning, and compliance violations. Organizations using YouTrack for internal project management risk leaking organizational structure details, email addresses, and group membership information to lower-privileged insiders. In regulated environments, unauthorized information access may trigger audit findings and require breach notification analysis depending on data sensitivity and regulatory scope.
Affected systems
JetBrains YouTrack installations prior to version 2026.1.13162 are affected. The vulnerability is specific to YouTrack and does not affect other JetBrains products. All deployment types (cloud, self-hosted) running the vulnerable version are at risk. Verify your installed version against the vendor's official release notes to confirm impact.
Exploitability
Exploitation requires valid YouTrack credentials and network access to the instance. The attack is straightforward and does not require sophisticated techniques or user interaction. Any authenticated user can navigate to the Users and Groups pages to retrieve restricted information. The barrier to exploitation is minimal once credentials are obtained, making this a concern for organizations with many YouTrack users or federated authentication systems.
Remediation
Upgrade JetBrains YouTrack to version 2026.1.13162 or later. Organizations should verify the specific patch version against JetBrains' official security advisory and release notes. If immediate patching is not feasible, restrict administrative page access through network-level controls (IP whitelisting, VPN requirements) and monitor access logs for suspicious queries to the Users and Groups pages.
Patch guidance
Deploy YouTrack version 2026.1.13162 or later through JetBrains' standard update mechanisms. Review release notes to identify any configuration changes or compatibility considerations. Test the update in a non-production environment first to ensure compatibility with customizations and integrations. After patching, verify that access controls to sensitive administrative pages are functioning as intended.
Detection guidance
Monitor YouTrack access logs for authenticated users accessing the Users and Groups administrative pages who do not have legitimate administrative responsibilities. Check for repeated or bulk queries to these endpoints from non-admin accounts. Review audit trails for changes to user visibility or access permission settings. In SIEM systems, create alerts for failed or suspicious access attempts to administrative interfaces by low-privilege users.
Why prioritize this
Although rated MEDIUM severity with limited exploitability, this vulnerability should be prioritized based on your environment's sensitivity. Organizations with high-value user data, strict compliance requirements, or significant numbers of non-administrative users should patch within 30 days. Environments where YouTrack user lists correlate with sensitive operational information warrant faster remediation. If you use federated authentication or shared access models, prioritize accordingly.
Risk score, explained
The CVSS 4.3 MEDIUM score reflects the requirement for prior authentication, network accessibility, low attack complexity, and limited scope of impact (confidentiality only). The score would be lower if the flaw required special privileges or user interaction. It is not higher because there is no integrity or availability impact and the confidentiality breach is confined to user and group metadata rather than core application data or customer information.
Frequently asked questions
Do we need to patch immediately if we restrict YouTrack access to administrators only?
No, but you should still prioritize within 60 days. If only trusted administrators can access YouTrack, the attack surface is reduced. However, patching remains important because administrative credentials can be compromised or misused, and the fix addresses a fundamental access control flaw that should be remediated to maintain security posture.
What information is actually exposed through this vulnerability?
The vulnerability exposes user profiles and group membership information accessible on the Users and Groups administrative pages. This typically includes usernames, email addresses, group assignments, and possibly display names or contact information. It does not expose passwords, API tokens, or application data stored within projects.
How does this differ from a privilege escalation vulnerability?
This is strictly an information disclosure issue. An attacker cannot perform elevated actions or modify data; they can only view information they shouldn't see. Privilege escalation would allow an attacker to gain higher permissions. However, disclosed organizational structure could support a follow-up privilege escalation attempt.
Is this vulnerability being actively exploited in the wild?
No. This CVE has not been added to the CISA Known Exploited Vulnerabilities (KEV) catalog. There is no current evidence of active exploitation in the wild, though this does not guarantee future safety. Patch according to your standard maintenance schedule, treating this as a medium-priority update rather than an emergency.
This analysis is provided for informational purposes and based on publicly available vulnerability data as of the publication date. CVSS scores and severity ratings are derived from official CVE records and may be updated by NIST or the vendor. Organizations should verify patch availability and compatibility against official JetBrains advisories before deployment. This assessment does not constitute legal or compliance advice; consult your organization's legal and compliance teams regarding breach notification or regulatory reporting obligations. Exploit details, proof-of-concept code, or weaponization steps are deliberately omitted. Source: NVD (public-domain), retrieved 2026-07-08. Analysis generated by SEC.co (claude-haiku-4-5).
Related vulnerabilities
- CVE-2026-49376MEDIUMJetBrains TeamCity SAML Username Validation Bypass
- CVE-2026-10211MEDIUMAstrBot 4.23.6 Path Normalization Authorization Bypass
- CVE-2026-10616MEDIUMAuthorization Bypass in nextlevelbuilder GoClaw Task Completion
- CVE-2026-10815MEDIUMAuthorization Bypass in Hostel Management System PHP
- CVE-2026-10860MEDIUMMISP Delete Validation Bypass – Logic Error in HTTP DELETE Handler
- CVE-2026-32906MEDIUMOpenClaw Privilege Escalation in Slack Plugin Approvals
- CVE-2026-34507MEDIUMOpenClaw QQBot Admin Command Policy Bypass (CVSS 5.4)
- CVE-2026-35673MEDIUMOpenClaw SSRF Policy Bypass in Debug and Export Routes