CVE-2026-49370 JetBrains CVE debrief

Who should care

Organizations running JetBrains YouTrack for issue tracking and project management should prioritize this update, particularly those with multiple administrators or complex app integrations using fetchApp functionality. Security teams responsible for vulnerability management in development infrastructure should include this in routine patching cycles given its low severity but clear remediation path.

Technical summary

The vulnerability exists in the fetchApp request handling mechanism of JetBrains YouTrack versions prior to 2026.1.13162. When an authenticated administrator with high privileges performs specific fetchApp operations, sensitive information may be disclosed in the response. The attack surface is constrained by the requirement for administrative credentials and user interaction, resulting in a low CVSS score. The vulnerability is classified under CWE-201 (Insertion of Sensitive Information Into Sent Data), indicating that sensitive data is inadvertently included in outbound communications.

Defensive priority

routine

Recommended defensive actions

• Upgrade JetBrains YouTrack to version 2026.1.13162 or later to remediate this information disclosure vulnerability
• Review administrator access controls and audit fetchApp request patterns in YouTrack deployments
• Monitor JetBrains security advisories for additional guidance on this and related issues
• Verify that user interaction requirements for administrative functions are properly enforced in your YouTrack configuration

Evidence notes

The vulnerability affects JetBrains YouTrack, an issue tracking and project management platform. The information disclosure occurs specifically in fetchApp request handling. The CVSS scoring reflects limited impact due to the high privilege requirement (PR:H) and need for user interaction (UI:R).

Official resources