CVE-2026-49369 JetBrains CVE debrief

Who should care

Organizations running JetBrains YouTrack for project management and issue tracking, particularly those with multi-user environments where access segregation between administrative and standard user functions is required. Security teams responsible for application security posture management and compliance with least-privilege access principles should prioritize this patch.

Technical summary

CVE-2026-49369 is an information disclosure vulnerability in JetBrains YouTrack project management and issue tracking software. The vulnerability exists in versions prior to 2026.1.13162 and affects the Users and Groups administrative pages. An attacker with low-privileged authenticated access can exploit this flaw to disclose information that should be restricted. The vulnerability has a CVSS 3.1 score of 4.3 (Medium severity) with the following characteristics: Network attack vector, Low attack complexity, Low privileges required, No user interaction needed, and Low confidentiality impact with no integrity or availability impact. The root cause is categorized under CWE-863 (Incorrect Authorization), indicating improper access control enforcement on sensitive administrative interfaces.

Defensive priority

medium

Recommended defensive actions

• Upgrade JetBrains YouTrack to version 2026.1.13162 or later
• Review access controls on Users and Groups pages for unauthorized information exposure
• Monitor JetBrains security advisories for additional guidance
• Audit user access logs for suspicious activity on administrative pages

Evidence notes

The CVE description and NVD record confirm the vulnerability affects JetBrains YouTrack before version 2026.1.13162. The CVSS 3.1 vector (AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N) indicates network-accessible attack vector with low attack complexity, requiring low privileges and no user interaction, resulting in low confidentiality impact. The weakness is classified as CWE-863 (Incorrect Authorization).

Official resources