CVE-2026-57924 Overview
CVE-2026-57924 is an information disclosure vulnerability affecting JetBrains YouTrack versions prior to 2026.2.16593. The default role configuration exposed excessive user profile details to accounts that should not have had access to them. The flaw is categorized under [CWE-276: Incorrect Default Permissions] and stems from overly permissive out-of-the-box authorization settings rather than a coding defect. Attackers can query profile data over the network without authentication or user interaction, though the exposed information is limited in scope. JetBrains addressed the issue in version 2026.2.16593.
Critical Impact
Unauthenticated network attackers can enumerate user profile details from affected YouTrack instances due to insecure default role permissions.
Affected Products
- JetBrains YouTrack versions prior to 2026.2.16593
- On-premises YouTrack deployments using default role configurations
- YouTrack instances exposed to untrusted networks
Discovery Timeline
- 2026-06-26 - CVE-2026-57924 published to NVD
- 2026-06-27 - Last updated in NVD database
Technical Details for CVE-2026-57924
Vulnerability Analysis
CVE-2026-57924 is an information disclosure issue rooted in insecure default permissions within JetBrains YouTrack. YouTrack ships with predefined roles that determine which fields on user profiles are visible to which accounts. The default configuration granted broader visibility of profile attributes than warranted, allowing lower-privileged or guest-level identities to view profile details intended for administrators or trusted users. The vulnerability affects confidentiality only. Integrity and availability of the YouTrack instance remain unaffected, and no privilege escalation, data modification, or code execution is possible through this issue. The EPSS score of 0.167% reflects a low observed exploitation likelihood.
Root Cause
The root cause is an incorrect default role definition [CWE-276]. Permissions attached to built-in roles enumerated user profile fields that should have been restricted to higher-privileged roles. Administrators who accepted the default configuration inherited this exposure without explicit consent or warning.
Attack Vector
An attacker interacts with the YouTrack web interface or REST API to retrieve user information. Because the misconfigured permissions apply to default roles, any actor able to reach the YouTrack instance over the network can request profile data through supported endpoints. No authentication, user interaction, or specialized tooling is required beyond standard HTTP clients.
No verified proof-of-concept exploit is public. The vulnerability manifests through routine API queries against user endpoints, where response payloads include profile fields that the default role should not disclose. See the JetBrains Security Issues Fixed advisory for vendor guidance.
Detection Methods for CVE-2026-57924
Indicators of Compromise
- High-volume or sequential requests to YouTrack user profile REST endpoints such as /api/users from a single client or IP.
- Anonymous or low-privileged session identifiers returning full user profile fields including email, groups, or metadata.
- Unexpected external IP addresses querying user enumeration endpoints outside normal usage patterns.
Detection Strategies
- Review YouTrack access logs for unauthenticated or guest-role requests to /api/users and related profile endpoints.
- Compare installed YouTrack version against 2026.2.16593 and flag any instance running an earlier build.
- Audit assigned role permissions and identify accounts with unexpected read access to user profile fields.
Monitoring Recommendations
- Ingest YouTrack application and access logs into a centralized SIEM for correlation and long-term retention.
- Alert on anomalous enumeration patterns such as bursts of requests iterating through user IDs or login names.
- Establish a baseline of expected API consumers and flag deviations from that baseline for review.
How to Mitigate CVE-2026-57924
Immediate Actions Required
- Upgrade YouTrack to version 2026.2.16593 or later, which corrects the default role permissions.
- Review and tighten role assignments so that only trusted accounts can read user profile fields.
- Restrict network access to YouTrack instances so that only authorized users can reach the application.
Patch Information
JetBrains resolved CVE-2026-57924 in YouTrack 2026.2.16593. Administrators of on-premises deployments should apply this update through the standard upgrade path. Cloud-hosted YouTrack instances are updated by JetBrains and require no action. Refer to the JetBrains Security Issues Fixed page for the authoritative fix reference.
Workarounds
- Manually adjust default role permissions to remove read access to sensitive user profile fields until the patch is applied.
- Place YouTrack behind a reverse proxy or VPN to limit exposure to untrusted networks.
- Disable guest access if it is not required for business operations.
# Verify installed YouTrack version and compare against fixed release
curl -s https://<youtrack-host>/api/config | jq '.version'
# Expected output: "2026.2.16593" or later
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

