CVE-2026-49370 Overview
CVE-2026-49370 is an information disclosure vulnerability affecting JetBrains YouTrack versions prior to 2026.1.13162. The flaw allows unauthenticated remote attackers to obtain sensitive information through fetchApp requests. The weakness is classified as [CWE-201] Insertion of Sensitive Information Into Sent Data.
YouTrack is a project management and issue tracking platform widely deployed by software engineering teams. Exposure of internal application data through fetchApp endpoints can reveal configuration details, application state, or other sensitive metadata. JetBrains has patched the issue in version 2026.1.13162.
Critical Impact
Unauthenticated network attackers can retrieve confidential information from vulnerable YouTrack instances by issuing crafted fetchApp requests, with no user interaction required.
Affected Products
- JetBrains YouTrack versions before 2026.1.13162
- Self-hosted YouTrack server deployments
- YouTrack instances exposed to untrusted networks
Discovery Timeline
- 2026-05-29 - CVE-2026-49370 published to NVD
- 2026-06-01 - Last updated in NVD database
Technical Details for CVE-2026-49370
Vulnerability Analysis
The vulnerability resides in how YouTrack handles fetchApp requests. The endpoint returns data without enforcing adequate access controls or filtering on the response payload. As a result, sensitive information that should remain internal to the application becomes accessible to remote callers.
The issue maps to [CWE-201], which covers cases where applications insert sensitive information into data transmitted to parties that should not receive it. Because the attack vector is network-based and requires no privileges or user interaction, attackers can probe internet-exposed YouTrack instances directly. The EPSS score is 0.002% with a percentile of 0.055, and no public exploit code has been observed at the time of publication.
Root Cause
The root cause is improper response handling in the fetchApp request processing logic of YouTrack. The endpoint exposes application data without applying sufficient authorization checks or output filtering. JetBrains addressed this by modifying the response logic in build 2026.1.13162.
Attack Vector
An attacker reaches the vulnerability by sending HTTP requests to the fetchApp endpoint of a vulnerable YouTrack server. No authentication or user interaction is required. The attacker parses the response to extract disclosed information. Refer to the JetBrains Issues Fixed advisory for vendor-supplied technical context.
Detection Methods for CVE-2026-49370
Indicators of Compromise
- Unexpected HTTP requests targeting fetchApp endpoints from external or unknown source IPs
- Anomalous spikes in request volume to YouTrack application URLs without corresponding user sessions
- Access log entries showing fetchApp calls preceding sensitive data exfiltration patterns
Detection Strategies
- Review YouTrack access logs for unauthenticated requests to fetchApp paths and correlate with response sizes
- Deploy web application firewall rules that flag or rate-limit fetchApp requests from non-authenticated sessions
- Compare current YouTrack build numbers against 2026.1.13162 to identify exposed instances
Monitoring Recommendations
- Forward YouTrack application and reverse proxy logs to a centralized SIEM for long-term analysis
- Alert on outbound traffic anomalies from systems that consume YouTrack APIs
- Track CVE feeds and JetBrains security advisories to detect newly disclosed YouTrack issues
How to Mitigate CVE-2026-49370
Immediate Actions Required
- Upgrade JetBrains YouTrack to version 2026.1.13162 or later as the primary remediation
- Restrict network exposure of YouTrack to trusted networks or VPN-only access until patching is complete
- Audit YouTrack access logs for prior fetchApp requests that may indicate pre-patch reconnaissance
Patch Information
JetBrains has released a fixed version in YouTrack 2026.1.13162. Administrators should apply this update through standard JetBrains upgrade procedures. Details are listed in the JetBrains Issues Fixed page.
Workarounds
- Place YouTrack behind a reverse proxy or WAF that blocks unauthenticated access to fetchApp endpoints
- Limit YouTrack accessibility through network ACLs to known administrative IP ranges
- Disable internet exposure of YouTrack instances until the upgrade can be deployed
# Example reverse proxy rule to restrict fetchApp access (nginx)
location ~* /fetchApp {
allow 10.0.0.0/8;
deny all;
}
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
