CVE-2026-49370: JetBrains YouTrack Information Disclosure – fetchApp Request Vulnerability
JetBrains YouTrack versions before 2026.1.13162 contain an information disclosure vulnerability affecting the fetchApp request handler. An authenticated user with high privileges can trigger unintended data exposure through a request that includes user interaction, though the scope of disclosed information is limited. This is a low-severity issue that requires administrative or privileged account access to exploit.
Source data · NVD / CISA · public domain
- CVSS
- 3.1 · 3.4 LOW · CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:N/A:N
- Weaknesses (CWE)
- CWE-201
- Affected products
- 1 configuration(s)
- Published / Modified
- 2026-05-29 / 2026-06-17
NVD description (verbatim)
In JetBrains YouTrack before 2026.1.13162 information disclosure was possible on fetchApp requests
1 reference(s) · View on NVD →
SEC.co analysis · AI-assisted, reviewed against source
Technical summary
CVE-2026-49370 is classified as an information disclosure vulnerability (CWE-201) in the fetchApp request processing logic of JetBrains YouTrack. The vulnerability has a CVSS v3.1 score of 3.4 (Low severity) with the vector CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:N/A:N. Exploitation requires network access, high privilege level (PR:H), and user interaction (UI:R), while the confidentiality impact is limited (C:L) with no integrity or availability compromise. The vulnerability was identified and patched in version 2026.1.13162.
Business impact
The limited scope of this vulnerability—requiring high-privilege authentication, user interaction, and producing only partial information disclosure—minimizes immediate business risk for most YouTrack deployments. Organizations should prioritize patching instances where trusted administrators or power users have been compromised or where internal threat actors may be present. The lack of CISA KEV status and low CVSS score indicate this is not an active exploitation vector in the wild, though it remains a valid privilege-escalation concern in zero-trust or multi-tenant environments.
Affected systems
JetBrains YouTrack installations running versions prior to 2026.1.13162 are affected. The vulnerability is limited to the fetchApp request handler and requires an authenticated, high-privilege user to trigger. Cloud-hosted and self-hosted deployments are equally affected. Verify your current YouTrack version and cross-reference against your deployment model to assess scope.
Exploitability
Exploitability is low due to authentication and privilege requirements. An attacker must already possess high-privilege credentials (such as administrator or power-user roles) and interact directly with the application—it cannot be triggered through passive attack vectors or by unauthorized users. The network vector is unauthenticated-accessible, but the authentication gate and required user interaction substantially reduce practical risk. No active exploits are documented in the CISA Known Exploited Vulnerabilities catalog.
Remediation
Upgrade JetBrains YouTrack to version 2026.1.13162 or later. This is a straightforward patching exercise with low business disruption expected given the low severity classification. Test the patch in a non-production environment first to validate compatibility with custom configurations, plugins, or integrations before rolling out to production.
Patch guidance
Obtain the patched version (2026.1.13162 or newer) from JetBrains' official distribution channels. Review the release notes for any breaking changes or deprecations. For self-hosted deployments, follow JetBrains' documented upgrade procedure, including backup and rollback planning. For cloud-hosted instances, verify that your hosting provider has applied the patch. Most organizations should prioritize this update for future maintenance windows rather than treating it as an emergency change.
Detection guidance
Monitor fetchApp request logs for unusual patterns, particularly requests from high-privilege accounts that result in HTTP 200 responses with unexpectedly large payloads or sensitive data fields. Use your YouTrack audit logs to identify which high-privilege users have executed fetchApp requests recently. Correlation with user activity logs can help surface suspicious timing or frequency. Consider implementing network-level inspection of YouTrack traffic to high-privilege API endpoints if risk posture demands it.
Why prioritize this
This vulnerability scores low on the CVSS scale (3.4) and carries no ransomware or active exploitation signals. Prioritize it below critical/high-severity items, but include it in standard patch cycles. Organizations with strict zero-trust postures, multi-tenant deployments, or recent incidents involving compromised admin accounts should bump it up in queue. The combination of required privilege level and user interaction makes it a secondary concern compared to unauthenticated or low-privilege flaws.
Risk score, explained
The CVSS score of 3.4 reflects the several barriers to exploitation: high privilege requirement (PR:H), mandatory user interaction (UI:R), and limited confidentiality impact (C:L). Network accessibility (AV:N) and low attack complexity (AC:L) prevent an even lower score, but the privilege gate is the dominant mitigating factor. In environments with strict access controls, the effective risk is further reduced.
Frequently asked questions
Do I need to patch immediately, or can this wait until our next maintenance window?
You can safely defer this to your next routine maintenance window. The CVSS score is low, there is no active exploitation documented, and exploitation requires high-privilege authentication plus user interaction. If your YouTrack instance is air-gapped or access-restricted, the risk is negligible. Prioritize it below any high or critical severity vulnerabilities.
What data can be disclosed through a fetchApp request?
The vulnerability description indicates information disclosure is possible, but the specific data fields or scope are not detailed in the published advisory. Contact JetBrains support or review their security advisory for precise details on what information may leak. In a defense-in-depth approach, assume any non-public YouTrack data (project metadata, user details, workflow states) could be affected and limit high-privilege account access accordingly.
Does this affect YouTrack Cloud, or only self-hosted instances?
Both deployment models are affected if they are running a version prior to 2026.1.13162. Cloud-hosted instances should be automatically patched by JetBrains; verify your instance version in the admin settings. Self-hosted deployments require manual patching by your infrastructure team.
Is there a workaround if we cannot patch immediately?
No workaround is documented. The primary mitigation is upgrade to the patched version. As a temporary measure, restrict network access to YouTrack's fetchApp endpoint or limit high-privilege user accounts to trusted networks or VPN access only, but these are not substitutes for patching.
This analysis is based on published CVE data and CVSS metrics as of the vulnerability's disclosure. Specific data exposure scope and exploitation impact may vary by deployment configuration and custom extensions. Always verify patch applicability and compatibility with your specific YouTrack version and environment before deploying updates. For authoritative guidance, consult JetBrains' official security advisory and release notes. This explainer is for informational and educational purposes and does not constitute professional security or legal advice. Source: NVD (public-domain), retrieved 2026-07-08. Analysis generated by SEC.co (claude-haiku-4-5).
Related vulnerabilities
- CVE-2026-45739LOWStrawberry GraphQL Credential Exposure in GraphiQL Headers
- CVE-2026-10101MEDIUMACM/MCE Pull-Secret Credential Exposure via InfraEnv Status
- CVE-2026-4035HIGHMLflow AI Gateway Environment Variable Credential Exposure
- CVE-2026-42539MEDIUMIRIS Information Disclosure Vulnerability (6.5 CVSS) – Patch to 2.4.28
- CVE-2026-42673HIGHLogtivity Activity Logs Information Disclosure (CVSS 7.5)
- CVE-2026-44653MEDIUMLibreChat MCP Server Credential Exposure (0.8.3 & Earlier)
- CVE-2026-45582MEDIUMn8n-MCP Telemetry Data Leakage (MEDIUM)
- CVE-2026-49380LOWJetBrains TeamCity SAML Open Redirect Vulnerability