CVE-2026-25846 – JetBrains YouTrack versions before 2025.3.11903... (How to Fix)

Q: What is the severity of CVE-2026-25846?

CVE-2026-25846 has a CVSS score of 6.5 (MEDIUM). JetBrains YouTrack versions before 2025.3.119033 expose access tokens in Mailbox logs, potentially allowing attackers to steal authentication credentials. This affects all YouTrack instances with Mailbox functionality enabled. Attackers with access to log files could impersonate users.

📋 TL;DR

JetBrains YouTrack versions before 2025.3.119033 expose access tokens in Mailbox logs, potentially allowing attackers to steal authentication credentials. This affects all YouTrack instances with Mailbox functionality enabled. Attackers with access to log files could impersonate users.

💻 Affected Systems

Products:

JetBrains YouTrack

Versions: All versions before 2025.3.119033

Operating Systems: All supported platforms

Default Config Vulnerable: ⚠️ Yes

Notes: Only affects instances with Mailbox functionality enabled and logging configured.

📦 What is this software?

Youtrack by Jetbrains

View all CVEs affecting Youtrack →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Attackers gain administrative access tokens, leading to full system compromise, data exfiltration, and privilege escalation across the YouTrack instance.

🟠

Likely Case

Unauthorized users access sensitive access tokens from logs, enabling them to impersonate legitimate users and perform actions within their permission scope.

🟢

If Mitigated

With proper log access controls and monitoring, token exposure is limited to authorized administrators only, minimizing misuse potential.

🌐 Internet-Facing: MEDIUM

🏢 Internal Only: HIGH

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: UNKNOWN

Unauthenticated Exploit: ✅ No

Complexity: LOW

Exploitation requires access to log files where tokens are exposed.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 2025.3.119033

Vendor Advisory: https://www.jetbrains.com/privacy-security/issues-fixed/

Restart Required: Yes

Instructions:

1. Backup YouTrack instance. 2. Download and install YouTrack version 2025.3.119033 or later. 3. Restart the YouTrack service. 4. Verify logs no longer contain access tokens.

🔧 Temporary Workarounds

Disable Mailbox Logging

all

Temporarily disable detailed Mailbox logging to prevent token exposure.

Modify YouTrack logging configuration to exclude Mailbox component logs

Restrict Log File Access

linux

Apply strict file permissions to log directories to prevent unauthorized access.

chmod 600 /path/to/youtrack/logs/*
chown youtrack:youtrack /path/to/youtrack/logs/*

🧯 If You Can't Patch

Implement strict access controls on log directories and files.
Regularly monitor and audit log access patterns for suspicious activity.

🔍 How to Verify

Check if Vulnerable:

Check YouTrack version via web interface or server logs. If version is earlier than 2025.3.119033, the system is vulnerable.

Check Version:

Check YouTrack web interface Admin → System → About, or run: java -jar youtrack.jar --version

Verify Fix Applied:

After patching, verify version is 2025.3.119033 or later and check Mailbox logs for absence of access tokens.

📡 Detection & Monitoring

Log Indicators:

Access tokens appearing in Mailbox-related log entries
Unauthorized access attempts to log files

Network Indicators:

Unusual authentication patterns from unexpected IP addresses

SIEM Query:

source="youtrack_logs" AND "access_token" AND "mailbox"

📊 Metadata

CVE ID: CVE-2026-25846

CVSS v3 Score: 6.5 (MEDIUM)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N

CWE: CWE-532

EPSS Score: 0% exploit probability (0th percentile)

Published: February 9, 2026

Last Updated: February 18, 2026

🔗 References

https://www.jetbrains.com/privacy-security/issues-fixed/ Vendor Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2026-25846, you might also want to check these: