CVE-2026-49386 Overview
CVE-2026-49386 is an improper access control vulnerability in JetBrains YouTrack before version 2026.1.13570. The flaw resides in the Planning Canvas feature and allows authenticated users to enumerate restricted issues and articles they should not have permission to view. The vulnerability maps to [CWE-639: Authorization Bypass Through User-Controlled Key].
JetBrains has released a fixed version addressing the issue. The vulnerability requires low privileges and network access to exploit, with confidentiality impact only.
Critical Impact
Authenticated attackers can enumerate restricted YouTrack issues and articles through the Planning Canvas, exposing confidential project data, internal communications, and intellectual property to unauthorized users.
Affected Products
- JetBrains YouTrack versions prior to 2026.1.13570
- JetBrains YouTrack Planning Canvas component
- Self-hosted and cloud YouTrack deployments running vulnerable versions
Discovery Timeline
- 2026-05-29 - CVE-2026-49386 published to NVD
- 2026-06-01 - Last updated in NVD database
Technical Details for CVE-2026-49386
Vulnerability Analysis
The vulnerability is an authorization bypass in the Planning Canvas feature of JetBrains YouTrack. Planning Canvas provides a visual interface for organizing issues and knowledge base articles across projects. The component fails to consistently enforce per-object access controls when listing or referencing items on the canvas.
Authenticated users with limited project membership can leverage Planning Canvas queries to enumerate issue identifiers, titles, and article metadata belonging to projects or knowledge bases they cannot access directly. The attack requires low privileges, no user interaction, and operates over the network. Impact is limited to confidentiality, with no integrity or availability consequences.
Root Cause
The root cause is missing or incomplete authorization checks within the Planning Canvas API endpoints. While direct issue and article retrieval enforces project-level permissions, the canvas enumeration path returns references to restricted objects without validating that the requesting user holds the required Read Issue or Read Article permission. This is a classic [CWE-639] flaw where access decisions rely on object enumeration paths rather than authoritative permission checks.
Attack Vector
An attacker requires a valid YouTrack account with any level of project access. The attacker issues crafted requests to Planning Canvas endpoints to enumerate identifiers and metadata of restricted issues and articles. No exploit code is publicly available, and the vulnerability is not listed in the CISA Known Exploited Vulnerabilities catalog. The EPSS probability is 0.002%, indicating a low predicted likelihood of exploitation in the near term.
No verified proof-of-concept code is available. Refer to the JetBrains Fixed Issues List for vendor details.
Detection Methods for CVE-2026-49386
Indicators of Compromise
- Unusual volume of Planning Canvas API requests from a single authenticated user session
- Access log entries showing canvas queries referencing project IDs the user is not a member of
- Authenticated users retrieving issue or article identifiers outside their assigned project scope
Detection Strategies
- Review YouTrack access logs for Planning Canvas endpoint requests correlated with user permission scopes
- Baseline normal canvas usage per user role, then alert on enumeration patterns or high-volume metadata retrieval
- Audit user activity reports for accounts viewing references to issues in projects where they lack membership
Monitoring Recommendations
- Enable verbose audit logging on the YouTrack server and forward logs to a centralized SIEM
- Monitor authentication and API request rates per user, flagging deviations from historical baselines
- Track changes to project and knowledge base permissions to detect attempts at lateral access escalation
How to Mitigate CVE-2026-49386
Immediate Actions Required
- Upgrade JetBrains YouTrack to version 2026.1.13570 or later on all self-hosted instances
- Verify YouTrack Cloud instances are running the patched release; JetBrains Cloud environments are updated automatically
- Review project and knowledge base permissions to confirm only authorized users hold access to sensitive content
- Audit recent Planning Canvas activity logs for evidence of unauthorized enumeration
Patch Information
JetBrains has released YouTrack 2026.1.13570 to remediate this vulnerability. The patch enforces consistent authorization checks on Planning Canvas endpoints so that restricted issues and articles are filtered from results based on the requesting user's permissions. Patch details are published on the JetBrains Fixed Issues List.
Workarounds
- Restrict Planning Canvas feature access to trusted users until patching is complete
- Limit account provisioning to least privilege and remove unused or stale accounts that increase the attack surface
- Place YouTrack behind an authenticated reverse proxy with rate limiting on API endpoints to slow enumeration attempts
# Verify installed YouTrack version on a self-hosted instance
curl -s -H "Authorization: Bearer <token>" \
https://youtrack.example.com/api/config | grep -i version
# Confirm patched build is >= 2026.1.13570 before re-enabling Planning Canvas access
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
