CVE-2026-49386: YouTrack Access Control Vulnerability Allows Enumeration of Restricted Issues
JetBrains YouTrack versions prior to 2026.1.13570 contain an access control flaw that allows authenticated users to discover restricted issues and articles on the Planning Canvas feature. While attackers cannot modify or delete content, they can enumerate sensitive information that should be hidden from their permission level. This is a credential-based attack—an attacker must have valid YouTrack login credentials to exploit it, but once authenticated, the vulnerability requires no special interaction or additional privileges.
Source data · NVD / CISA · public domain
- CVSS
- 3.1 · 6.5 MEDIUM · CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
- Weaknesses (CWE)
- CWE-639
- Affected products
- 1 configuration(s)
- Published / Modified
- 2026-05-29 / 2026-06-17
NVD description (verbatim)
In JetBrains YouTrack before 2026.1.13570 improper access control allowed enumeration of restricted issues and articles on Planning Canvas
1 reference(s) · View on NVD →
SEC.co analysis · AI-assisted, reviewed against source
Technical summary
CVE-2026-49386 stems from improper access control mechanisms in YouTrack's Planning Canvas module (CWE-639: Authorization through User-Controlled Key). The vulnerability permits an authenticated attacker to bypass visibility restrictions and enumerate issues and articles marked as restricted. The attack vector is network-accessible and requires only standard user credentials; no social engineering, client-side interaction, or elevated privileges are necessary. The flaw affects the confidentiality of restricted content but does not allow modification, deletion, or availability impact.
Business impact
Information disclosure of restricted planning data poses operational and competitive risks. Teams using YouTrack to manage sensitive roadmaps, confidential feature plans, or restricted project phases face uncontrolled exposure if users with lower access tiers can enumerate hidden content. In regulated environments, this may trigger compliance violations if restricted data (e.g., internal-only strategy or customer-specific roadmaps) becomes visible to unauthorized personnel. The impact scales with the sensitivity and classification of restricted issues stored in YouTrack instances.
Affected systems
JetBrains YouTrack versions before 2026.1.13570 are vulnerable. The Planning Canvas feature is specifically affected. Organizations running YouTrack on-premises or via cloud deployments using any version prior to the patched release should assume exposure if Planning Canvas is in use and access controls are configured to restrict issue or article visibility.
Exploitability
Exploitability is moderate. An attacker must possess valid YouTrack credentials, placing this attack in the "insider threat" or compromised-credential category rather than unauthenticated external access. However, once authenticated, no additional barriers exist—enumeration is straightforward and does not require advanced technical skill. The attack is repeatable and leaves minimal forensic trail. Exploitation does not require user interaction or social engineering; it can be automated via API or UI access.
Remediation
Apply JetBrains YouTrack version 2026.1.13570 or later. Organizations unable to patch immediately should audit YouTrack user access roles, restrict Planning Canvas access to users with legitimate need-to-know, and review access logs for evidence of unauthorized enumeration. Consider implementing network segmentation to limit who can authenticate to YouTrack in the first place.
Patch guidance
Upgrade YouTrack to version 2026.1.13570 or later. Verify the patch release notes against the official JetBrains advisory to confirm the access control issue is resolved. Test in a staging environment before production deployment to ensure no workflow or integration breakage. If auto-update is enabled, prioritize this update in your deployment queue given the medium severity and bounded attack surface (requires authentication).
Detection guidance
Monitor YouTrack audit logs and API request patterns for anomalous enumeration of restricted issues or articles by lower-privilege user accounts. Search for bulk queries or repeated list/search operations on Planning Canvas by users whose role does not typically access those resources. Network-level detection is challenging because the attack uses legitimate authenticated sessions; endpoint Detection & Response (EDR) on the YouTrack server may surface suspicious automation or scripted access patterns. Review role-based access control (RBAC) configurations post-patch to ensure restrictions are correctly enforced.
Why prioritize this
This vulnerability merits prompt but not emergency patching. CVSS 6.5 (Medium severity) reflects high confidentiality impact but no integrity or availability impact. The requirement for valid credentials significantly narrows the threat surface—it eliminates mass-exploitation scenarios and limits risk to organizations with insider-threat concerns or previous credential compromise. Prioritize patching for instances storing highly sensitive planning data or operating in industries with strict data classification requirements (finance, healthcare, defense).
Risk score, explained
CVSS 3.1 score of 6.5 is driven by: (1) Network-accessible attack vector (AV:N), (2) Low attack complexity (AC:L) once authenticated, (3) Login required (PR:L), (4) No user interaction needed (UI:N), (5) Unchanged scope (S:U), (6) High confidentiality impact (C:H) from unrestricted enumeration, and (7) No integrity or availability impact (I:N, A:N). The score appropriately reflects that sensitive data can be read but not altered or destroyed, and that attack surface is bounded to authenticated users.
Frequently asked questions
Can an unauthenticated attacker exploit this vulnerability?
No. CVE-2026-49386 requires valid YouTrack login credentials. This is an insider-threat or post-compromise attack vector, not a path for external unauthenticated access.
Does the vulnerability allow modification or deletion of restricted content?
No. The flaw is limited to enumeration and reading of restricted issues and articles. Integrity and availability of data are not impacted. Attackers cannot alter or destroy content.
Which YouTrack feature is affected?
The Planning Canvas feature is specifically vulnerable. Other YouTrack modules may not be affected by this particular access control flaw.
Is there a workaround if we cannot patch immediately?
There is no vendor-supplied workaround. Interim mitigations include restricting Planning Canvas access via role assignments, reviewing and tightening user permissions, and monitoring audit logs for suspicious enumeration patterns.
This analysis is based on published CVE information and vendor advisories as of the stated modification date. Patch version numbers and timelines should be verified against the official JetBrains YouTrack security advisory. This vulnerability does not appear on the CISA KEV catalog. Severity and exploitability may vary based on organizational architecture, access policies, and data sensitivity. SEC.co recommends consulting JetBrains documentation and conducting internal risk assessment before deployment. Source: NVD (public-domain), retrieved 2026-07-08. Analysis generated by SEC.co (claude-haiku-4-5).
Related vulnerabilities
- CVE-2026-10154MEDIUMDolibarr ERP CRM Authorization Bypass in Messaging Module
- CVE-2026-10212MEDIUMAstrBot 4.24.2 Authorization Bypass via Session ID Manipulation
- CVE-2026-10597MEDIUMOMICARD EDM Unauthenticated Email Disclosure Vulnerability
- CVE-2026-23638MEDIUMKiteworks IDOR Vulnerability in Secure Data Forms – Patch Guidance
- CVE-2026-24753MEDIUMKiteworks IDOR Vulnerability in Secure Data Forms – Patch to 9.3.0
- CVE-2026-24755MEDIUMKiteworks IDOR Authorization Flaw in Secure Data Forms
- CVE-2026-24756MEDIUMKiteworks IDOR Vulnerability – Unauthorized Data Modification Risk
- CVE-2026-3173MEDIUMWordPress Meta Field Block Insecure Direct Object Reference (IDOR) Vulnerability