CVE-2026-49385 Overview
CVE-2026-49385 is an improper access control vulnerability [CWE-862] in JetBrains YouTrack versions before 2026.1.13570. The flaw allows low-privileged authenticated users to modify service accounts, undermining the integrity of automation identities used for issue tracking, integrations, and CI/CD workflows. JetBrains addressed the issue in YouTrack 2026.1.13570 and documented the fix in their security advisory.
Critical Impact
Authenticated users with minimal privileges can tamper with service accounts, enabling integrity violations across YouTrack automation, integrations, and downstream pipelines.
Affected Products
- JetBrains YouTrack versions prior to 2026.1.13570
- YouTrack Server (self-hosted) deployments running affected versions
- YouTrack Cloud instances not yet updated to the fixed build
Discovery Timeline
- 2026-05-29 - CVE-2026-49385 published to NVD
- 2026-06-01 - Last updated in NVD database
Technical Details for CVE-2026-49385
Vulnerability Analysis
The vulnerability resides in YouTrack's authorization layer governing service account management. Service accounts in YouTrack represent non-human identities used by integrations, bots, and automation workflows. They typically hold elevated permissions to operate across projects.
YouTrack failed to enforce the appropriate permission check before processing modification requests targeting these accounts. As a result, a user holding only low-tier project permissions could submit requests that altered service account attributes. The integrity impact is rated High in the CVSS vector, while confidentiality and availability remain unaffected.
Because service accounts often act as trusted principals for external systems, modifications can cascade into connected platforms. An attacker can pivot from YouTrack tampering to abuse of integrations such as Git providers, CI runners, or webhook receivers. The classification of [CWE-862] Missing Authorization aligns directly with the documented behavior.
Root Cause
The root cause is a missing authorization check on endpoints handling service account updates. The application validated authentication but did not verify whether the calling principal possessed the administrative role required to manage service accounts.
Attack Vector
Exploitation requires network access to the YouTrack instance and valid low-privileged credentials. No user interaction is required. An attacker authenticates with a standard account, then issues a crafted request to the service account management endpoint to alter attributes such as ownership, permissions, or associated tokens.
The vulnerability is described in prose because no public proof-of-concept or technical write-up has been released. Refer to the JetBrains Security Issues Fixed advisory for vendor details.
Detection Methods for CVE-2026-49385
Indicators of Compromise
- Unexpected modifications to service account profiles, tokens, or group memberships in YouTrack audit logs.
- Service account activity originating from IP addresses or user agents not associated with established integrations.
- New or rotated API tokens on service accounts that do not correspond to a documented change request.
Detection Strategies
- Review YouTrack audit logs for service account modification events performed by users without administrative roles.
- Correlate API requests to service account endpoints against the requesting user's permission level.
- Alert on changes to service account permissions, group memberships, or token issuance events.
Monitoring Recommendations
- Ingest YouTrack audit and access logs into a centralized SIEM for retention and correlation.
- Baseline normal service account behavior and alert on deviations such as new project access or unusual API call volumes.
- Monitor downstream systems integrated with YouTrack service accounts for anomalous authentication events.
How to Mitigate CVE-2026-49385
Immediate Actions Required
- Upgrade JetBrains YouTrack to version 2026.1.13570 or later without delay.
- Audit all existing service accounts for unauthorized modifications since the affected versions were deployed.
- Rotate API tokens and credentials associated with service accounts as a precaution.
Patch Information
JetBrains has released YouTrack 2026.1.13570 containing the fix. Administrators should apply the update through standard upgrade procedures. Reference the JetBrains Security Issues Fixed page for the official advisory and release notes.
Workarounds
- Restrict network access to the YouTrack instance to trusted administrative networks where feasible until the patch is applied.
- Review and reduce the permission set assigned to low-privileged user roles to limit potential abuse.
- Temporarily disable or limit the scope of high-privilege service accounts that are not actively required.
# Verify YouTrack version after upgrade
curl -s -H "Authorization: Bearer $YT_TOKEN" \
https://youtrack.example.com/api/config?fields=version
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

