CVE-2026-28193 – This vulnerability in JetBrains YouTrack allows... (How to Fix)

Q: What is the severity of CVE-2026-28193?

CVE-2026-28193 has a CVSS score of 8.8 (HIGH). This vulnerability in JetBrains YouTrack allows applications to send unauthorized requests to the app permissions endpoint, potentially enabling privilege escalation or unauthorized access. It affects YouTrack instances running versions before 2025.3.121962. Organizations using vulnerable YouTrack versions for issue tracking and project management are at risk.

📋 TL;DR

This vulnerability in JetBrains YouTrack allows applications to send unauthorized requests to the app permissions endpoint, potentially enabling privilege escalation or unauthorized access. It affects YouTrack instances running versions before 2025.3.121962. Organizations using vulnerable YouTrack versions for issue tracking and project management are at risk.

💻 Affected Systems

Products:

JetBrains YouTrack

Versions: All versions before 2025.3.121962

Operating Systems: All platforms running YouTrack

Default Config Vulnerable: ⚠️ Yes

Notes: Affects YouTrack server instances; vulnerability exists in the application layer regardless of underlying OS.

📦 What is this software?

Youtrack by Jetbrains

View all CVEs affecting Youtrack →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Attackers could gain administrative privileges, access sensitive project data, modify permissions, or compromise the entire YouTrack instance.

🟠

Likely Case

Unauthorized users could elevate their permissions, access restricted projects/issues, or manipulate workflow configurations.

🟢

If Mitigated

With proper network segmentation and access controls, impact would be limited to the YouTrack application itself.

🌐 Internet-Facing: HIGH

🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: UNKNOWN

Unauthenticated Exploit: ✅ No

Complexity: MEDIUM

Requires some application access; exploitation details not publicly documented.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 2025.3.121962 and later

Vendor Advisory: https://www.jetbrains.com/privacy-security/issues-fixed/

Restart Required: Yes

Instructions:

1. Backup YouTrack data and configuration. 2. Download YouTrack 2025.3.121962 or later from JetBrains. 3. Stop YouTrack service. 4. Install/upgrade to patched version. 5. Restart YouTrack service. 6. Verify functionality.

🔧 Temporary Workarounds

Network Access Restriction

all

Restrict network access to YouTrack to only trusted IP addresses/networks

Application Firewall Rules

all

Implement WAF rules to block suspicious requests to permissions endpoints

🧯 If You Can't Patch

Implement strict network segmentation to isolate YouTrack from untrusted networks
Enable detailed audit logging and monitor for unusual permission modification attempts

🔍 How to Verify

Check if Vulnerable:

Check YouTrack version in Administration → System → About, or via REST API at /api/admin/version

Check Version:

curl -s http://youtrack-server/api/admin/version | grep version

Verify Fix Applied:

Confirm version is 2025.3.121962 or higher and test permission endpoint access controls

📡 Detection & Monitoring

Log Indicators:

Unusual requests to /api/admin/permissions endpoints
Multiple failed permission modification attempts
Unexpected user privilege changes

Network Indicators:

Unusual traffic patterns to YouTrack admin endpoints
Requests to permissions API from unexpected sources

SIEM Query:

source="youtrack" AND (uri_path="/api/admin/permissions" OR event_type="PERMISSION_MODIFY")

📊 Metadata

CVE ID: CVE-2026-28193

CVSS v3 Score: 8.8 (HIGH)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

CWE: CWE-862

Published: February 25, 2026

Last Updated: February 26, 2026

🔗 References

https://www.jetbrains.com/privacy-security/issues-fixed/ Vendor Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2026-28193, you might also want to check these: