Skip to main content

JetBrains YouTrack EUVDEUVD-2026-39655

| CVE-2026-57923 HIGH
Missing Authorization (CWE-862)
2026-06-26 JetBrains
7.5
CVSS 3.1 · NVD
Share

Severity by source

Vendor (JetBrains) PRIMARY
MEDIUM
qualitative
NVD
7.5 HIGH
AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N
vuln.today AI
4.3 MEDIUM

Authorization bypass on an app endpoint typically needs a low-privilege account (PR:L); impact is limited to tampering with project settings (I:L), with no confidentiality or availability effect.

3.1 AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N
4.0 AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N

Primary rating from Vendor (JetBrains).

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
High
Availability
None

Lifecycle Timeline

7
Analysis Updated
Jun 27, 2026 - 19:44 vuln.today
v3 (cvss_changed)
Analysis Updated
Jun 27, 2026 - 19:43 vuln.today
v2 (cvss_changed)
Re-analysis Queued
Jun 27, 2026 - 19:37 vuln.today
cvss_changed
Severity Changed
Jun 27, 2026 - 19:37 NVD
MEDIUM HIGH
CVSS changed
Jun 27, 2026 - 19:37 NVD
5.3 (MEDIUM) 7.5 (HIGH)
Patch available
Jun 26, 2026 - 15:01 EUVD
Analysis Generated
Jun 26, 2026 - 13:51 vuln.today

DescriptionNVD

In JetBrains YouTrack before 2026.2.16593 improper authorisation in the app configurations endpoint allowed modifying project settings

AnalysisAI

Improper authorization in JetBrains YouTrack's app configurations endpoint lets remote attackers modify project settings they should not be permitted to change, affecting all versions before 2026.2.16593. The flaw (CWE-862, Missing Authorization) impacts integrity only - no data disclosure or service disruption - and was self-reported by JetBrains with a patch already available. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Reach YouTrack configurations endpoint
Exploit
Send crafted settings-modification request
Execution
Bypass missing authorization check
Impact
Alter project settings without permission

Vulnerability AssessmentAI

Exploitation Exploitation requires network access to a YouTrack instance running a version before 2026.2.16593 and a request to the app configurations endpoint that performs project-settings modification. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment Signals are mixed and lean toward moderate, not critical, real-world risk. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An attacker reaches the network-accessible YouTrack app configurations endpoint and issues a crafted request to alter project settings that should require project-administrator permission, tampering with project configuration without proper authorization. With AC:L and (per the published vector) no privileges or user interaction required, the request is straightforward to send; no public proof-of-concept is currently known.
Remediation Vendor-released patch: upgrade JetBrains YouTrack to version 2026.2.16593 or later, which corrects the authorization check on the app configurations endpoint; this is the primary and only confirmed fix, per the JetBrains advisory at https://www.jetbrains.com/privacy-security/issues-fixed/. … Detailed patch versions, workarounds, and compensating controls in full report.

Recommended ActionAI

Within 24 hours: Inventory all YouTrack instances and identify those running versions before 2026.2.16593; assess exposure scope by noting which instances manage sensitive projects. …

Sign in for detailed remediation steps and compensating controls.

Threat intelligence, references, and detailed analysis are available after sign-in.

CVE-2026-62422 CRITICAL
10.0 Jul 14

Authentication bypass in JetBrains YouTrack allows attackers to obtain full administrative access by leveraging a direct

CVE-2024-54154 CRITICAL
9.8 Dec 04

In JetBrains YouTrack before 2024.3.51866 system takeover was possible through path traversal in plugin sandbox. Rated c

CVE-2022-24442 CRITICAL
9.8 Feb 25

JetBrains YouTrack before 2021.4.40426 was vulnerable to SSTI (Server-Side Template Injection) via FreeMarker templates.

CVE-2021-43185 CRITICAL
9.8 Nov 09

JetBrains YouTrack before 2021.3.23639 is vulnerable to Host header injection. Rated critical severity (CVSS 9.8), this

CVE-2021-25770 CRITICAL
9.8 Feb 03

In JetBrains YouTrack before 2020.5.3123, server-side template injection (SSTI) was possible, which could lead to code e

CVE-2019-12852 CRITICAL
9.8 Jul 03

An SSRF attack was possible on a JetBrains YouTrack server. Rated critical severity (CVSS 9.8), this vulnerability is re

CVE-2019-12867 CRITICAL
9.8 Jul 03

Certain actions could cause privilege escalation for issue attachments in JetBrains YouTrack. Rated critical severity (C

CVE-2019-12866 CRITICAL
9.8 Jul 03

An Insecure Direct Object Reference, with Authorization Bypass through a User-Controlled Key, was possible in JetBrains

CVE-2019-12850 CRITICAL
9.8 Jul 03

A query injection was possible in JetBrains YouTrack. Rated critical severity (CVSS 9.8), this vulnerability is remotely

CVE-2021-37549 CRITICAL
9.1 Aug 06

In JetBrains YouTrack before 2021.1.11111, sandboxing in workflows was insufficient. Rated critical severity (CVSS 9.1),

CVE-2026-28193 HIGH
8.8 Feb 25

Authenticated users in JetBrains YouTrack versions prior to 2025.3.121962 can bypass authorization controls to access th

CVE-2021-25765 HIGH
8.8 Feb 03

In JetBrains YouTrack before 2020.4.4701, CSRF via attachment upload was possible. Rated high severity (CVSS 8.8), this

Share

EUVD-2026-39655 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy