CVE-2026-49385 JetBrains CVE debrief

Who should care

Organizations running JetBrains YouTrack for issue tracking and project management, particularly those relying on service accounts for integrations and automated workflows. Security teams should prioritize patching to prevent unauthorized modification of service account credentials and permissions that could enable further lateral movement or data access.

Technical summary

The vulnerability exists in JetBrains YouTrack's access control implementation for service account management. Low-privileged authenticated users can bypass intended authorization restrictions to modify service account configurations. This represents a horizontal privilege escalation where standard user permissions are insufficiently enforced against sensitive administrative functions. The attack requires network access to the YouTrack instance and valid low-privilege credentials, with no additional user interaction needed. Successful exploitation compromises service account integrity without affecting system availability or exposing confidential data directly.

Defensive priority

medium

Recommended defensive actions

• Upgrade JetBrains YouTrack to version 2026.1.13570 or later to remediate this vulnerability
• Review service account modification audit logs for unauthorized changes in affected versions
• Verify that service account management permissions are restricted to administrative roles after patching
• Monitor for anomalous service account activity in YouTrack deployments running versions prior to 2026.1.13570

Evidence notes

The vulnerability description and affected version information are sourced from the official CVE record and NVD entry. The CWE-862 classification and CVSS vector are confirmed in NVD metadata. The fix version 2026.1.13570 is derived from the CVE description stating 'before 2026.1.13570'.

Official resources