PatchSiren cyber security CVE debrief
CVE-2026-49386 JetBrains CVE debrief
JetBrains YouTrack versions prior to 2026.1.13570 contain an improper access control vulnerability (CWE-639) in the Planning Canvas feature. An authenticated attacker with low privileges can enumerate restricted issues and articles that should not be accessible to them. The vulnerability has a CVSS 3.1 score of 6.5 (MEDIUM severity) with vector AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N, indicating network-based attack vector, low attack complexity, low privileges required, no user interaction, unchanged scope, high confidentiality impact, and no integrity or availability impact. The issue was published to the CVE database on May 29, 2026, and is currently undergoing analysis by NVD. JetBrains has addressed this issue in YouTrack version 2026.1.13570.
- Vendor
- JetBrains
- Product
- YouTrack
- CVSS
- MEDIUM 6.5
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2026-05-29
- Original CVE updated
- 2026-05-29
- Advisory published
- 2026-05-29
- Advisory updated
- 2026-05-29
Who should care
Organizations using JetBrains YouTrack for project management and issue tracking, particularly those relying on visibility restrictions to protect sensitive issues and articles. Security teams should prioritize patching if YouTrack contains confidential project data, security issues, or internal documentation with restricted access. Development teams using Planning Canvas for sprint planning or roadmap visualization should verify their instance is patched to prevent potential information leakage.
Technical summary
The vulnerability exists in the Planning Canvas feature of JetBrains YouTrack, where improper authorization checks allow authenticated users to enumerate issues and articles that have restricted visibility. The Planning Canvas is a visualization and planning tool within YouTrack that displays issues and articles in a board or timeline format. The improper access control (CWE-639) suggests that user-controlled input (such as issue or article identifiers) is used to access resources without adequate verification that the requesting user has permission to view those specific items. This enables an attacker with valid credentials to systematically discover the existence of sensitive issues and articles, even when they are configured with restricted visibility. The confidentiality impact is rated HIGH because this enumeration can reveal sensitive project information, internal discussions, security issues, or other restricted content. The attack requires network access to the YouTrack instance and valid user credentials, but no user interaction or elevated privileges.
Defensive priority
medium
Recommended defensive actions
- Upgrade JetBrains YouTrack to version 2026.1.13570 or later
- Review access controls on Planning Canvas configurations
- Audit access logs for unauthorized enumeration of restricted issues and articles
- Verify that sensitive issues and articles have appropriate visibility restrictions applied
- Monitor for unusual patterns of bulk data access to Planning Canvas resources
Evidence notes
The vulnerability is confirmed by official sources: CVE.org record, NVD entry, and JetBrains security advisory. The CWE-639 (Authorization Bypass Through User-Controlled Key) classification indicates the issue involves improper authorization checks when accessing resources.
Official resources
-
CVE-2026-49386 CVE record
CVE.org
-
CVE-2026-49386 NVD detail
NVD
-
Source item URL
nvd_modified
- Source reference
JetBrains disclosed this vulnerability through their security issues fixed page. The CVE was assigned and published to NVD on May 29, 2026.