MEDIUM 6.5

CVE-2026-49386: YouTrack Access Control Vulnerability Allows Enumeration of Restricted Issues

JetBrains YouTrack versions prior to 2026.1.13570 contain an access control flaw that allows authenticated users to discover restricted issues and articles on the Planning Canvas feature. While attackers cannot modify or delete content, they can enumerate sensitive information that should be hidden from their permission level. This is a credential-based attack—an attacker must have valid YouTrack login credentials to exploit it, but once authenticated, the vulnerability requires no special interaction or additional privileges.

Source data · NVD / CISA · public domain

CVSS
3.1 · 6.5 MEDIUM · CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
Weaknesses (CWE)
CWE-639
Affected products
1 configuration(s)
Published / Modified
2026-05-29 / 2026-06-17

NVD description (verbatim)

In JetBrains YouTrack before 2026.1.13570 improper access control allowed enumeration of restricted issues and articles on Planning Canvas

1 reference(s) · View on NVD →

SEC.co analysis · AI-assisted, reviewed against source

Technical summary

CVE-2026-49386 stems from improper access control mechanisms in YouTrack's Planning Canvas module (CWE-639: Authorization through User-Controlled Key). The vulnerability permits an authenticated attacker to bypass visibility restrictions and enumerate issues and articles marked as restricted. The attack vector is network-accessible and requires only standard user credentials; no social engineering, client-side interaction, or elevated privileges are necessary. The flaw affects the confidentiality of restricted content but does not allow modification, deletion, or availability impact.

Business impact

Information disclosure of restricted planning data poses operational and competitive risks. Teams using YouTrack to manage sensitive roadmaps, confidential feature plans, or restricted project phases face uncontrolled exposure if users with lower access tiers can enumerate hidden content. In regulated environments, this may trigger compliance violations if restricted data (e.g., internal-only strategy or customer-specific roadmaps) becomes visible to unauthorized personnel. The impact scales with the sensitivity and classification of restricted issues stored in YouTrack instances.

Affected systems

JetBrains YouTrack versions before 2026.1.13570 are vulnerable. The Planning Canvas feature is specifically affected. Organizations running YouTrack on-premises or via cloud deployments using any version prior to the patched release should assume exposure if Planning Canvas is in use and access controls are configured to restrict issue or article visibility.

Exploitability

Exploitability is moderate. An attacker must possess valid YouTrack credentials, placing this attack in the "insider threat" or compromised-credential category rather than unauthenticated external access. However, once authenticated, no additional barriers exist—enumeration is straightforward and does not require advanced technical skill. The attack is repeatable and leaves minimal forensic trail. Exploitation does not require user interaction or social engineering; it can be automated via API or UI access.

Remediation

Apply JetBrains YouTrack version 2026.1.13570 or later. Organizations unable to patch immediately should audit YouTrack user access roles, restrict Planning Canvas access to users with legitimate need-to-know, and review access logs for evidence of unauthorized enumeration. Consider implementing network segmentation to limit who can authenticate to YouTrack in the first place.

Patch guidance

Upgrade YouTrack to version 2026.1.13570 or later. Verify the patch release notes against the official JetBrains advisory to confirm the access control issue is resolved. Test in a staging environment before production deployment to ensure no workflow or integration breakage. If auto-update is enabled, prioritize this update in your deployment queue given the medium severity and bounded attack surface (requires authentication).

Detection guidance

Monitor YouTrack audit logs and API request patterns for anomalous enumeration of restricted issues or articles by lower-privilege user accounts. Search for bulk queries or repeated list/search operations on Planning Canvas by users whose role does not typically access those resources. Network-level detection is challenging because the attack uses legitimate authenticated sessions; endpoint Detection & Response (EDR) on the YouTrack server may surface suspicious automation or scripted access patterns. Review role-based access control (RBAC) configurations post-patch to ensure restrictions are correctly enforced.

Why prioritize this

This vulnerability merits prompt but not emergency patching. CVSS 6.5 (Medium severity) reflects high confidentiality impact but no integrity or availability impact. The requirement for valid credentials significantly narrows the threat surface—it eliminates mass-exploitation scenarios and limits risk to organizations with insider-threat concerns or previous credential compromise. Prioritize patching for instances storing highly sensitive planning data or operating in industries with strict data classification requirements (finance, healthcare, defense).

Risk score, explained

CVSS 3.1 score of 6.5 is driven by: (1) Network-accessible attack vector (AV:N), (2) Low attack complexity (AC:L) once authenticated, (3) Login required (PR:L), (4) No user interaction needed (UI:N), (5) Unchanged scope (S:U), (6) High confidentiality impact (C:H) from unrestricted enumeration, and (7) No integrity or availability impact (I:N, A:N). The score appropriately reflects that sensitive data can be read but not altered or destroyed, and that attack surface is bounded to authenticated users.

Frequently asked questions

Can an unauthenticated attacker exploit this vulnerability?

No. CVE-2026-49386 requires valid YouTrack login credentials. This is an insider-threat or post-compromise attack vector, not a path for external unauthenticated access.

Does the vulnerability allow modification or deletion of restricted content?

No. The flaw is limited to enumeration and reading of restricted issues and articles. Integrity and availability of data are not impacted. Attackers cannot alter or destroy content.

Which YouTrack feature is affected?

The Planning Canvas feature is specifically vulnerable. Other YouTrack modules may not be affected by this particular access control flaw.

Is there a workaround if we cannot patch immediately?

There is no vendor-supplied workaround. Interim mitigations include restricting Planning Canvas access via role assignments, reviewing and tightening user permissions, and monitoring audit logs for suspicious enumeration patterns.

This analysis is based on published CVE information and vendor advisories as of the stated modification date. Patch version numbers and timelines should be verified against the official JetBrains YouTrack security advisory. This vulnerability does not appear on the CISA KEV catalog. Severity and exploitability may vary based on organizational architecture, access policies, and data sensitivity. SEC.co recommends consulting JetBrains documentation and conducting internal risk assessment before deployment. Source: NVD (public-domain), retrieved 2026-07-08. Analysis generated by SEC.co (claude-haiku-4-5).