{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-28193", "assignerOrgId": "547ada31-17d8-4964-bc5f-1b8238ba8014", "state": "PUBLISHED", "assignerShortName": "JetBrains", "dateReserved": "2026-02-25T12:35:11.990Z", "datePublished": "2026-02-25T12:57:27.463Z", "dateUpdated": "2026-02-26T14:44:06.777Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "547ada31-17d8-4964-bc5f-1b8238ba8014", "shortName": "JetBrains", "dateUpdated": "2026-02-25T12:57:27.463Z"}, "problemTypes": [{"descriptions": [{"lang": "en", "description": "CWE-862", "cweId": "CWE-862"}]}], "affected": [{"vendor": "JetBrains", "product": "YouTrack", "versions": [{"version": "0", "status": "affected", "lessThan": "2025.3.121962", "versionType": "semver"}], "defaultStatus": "unaffected"}], "descriptions": [{"lang": "en", "value": "In JetBrains YouTrack before 2025.3.121962 apps were able to send requests to the app permissions endpoint"}], "references": [{"url": "https://www.jetbrains.com/privacy-security/issues-fixed/"}], "metrics": [{"format": "CVSS", "scenarios": [{"lang": "en", "value": "GENERAL"}], "cvssV3_1": {"version": "3.1", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "HIGH", "baseScore": 8.8, "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H"}}]}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-28193", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "version": "2.0.3", "timestamp": "2026-02-26T04:55:49.115945Z"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-02-26T14:44:06.777Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-28193", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "version": "2.0.3", "timestamp": "2026-02-26T04:55:49.115945Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-02-25T15:07:13.693Z"}}], "cna": {"metrics": [{"format": "CVSS", "cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 8.8, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "LOW", "confidentialityImpact": "HIGH"}, "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "affected": [{"vendor": "JetBrains", "product": "YouTrack", "versions": [{"status": "affected", "version": "0", "lessThan": "2025.3.121962", "versionType": "semver"}], "defaultStatus": "unaffected"}], "references": [{"url": "https://www.jetbrains.com/privacy-security/issues-fixed/"}], "descriptions": [{"lang": "en", "value": "In JetBrains YouTrack before 2025.3.121962 apps were able to send requests to the app permissions endpoint"}], "problemTypes": [{"descriptions": [{"lang": "en", "cweId": "CWE-862", "description": "CWE-862"}]}], "providerMetadata": {"orgId": "547ada31-17d8-4964-bc5f-1b8238ba8014", "shortName": "JetBrains", "dateUpdated": "2026-02-25T12:57:27.463Z"}}}, "cveMetadata": {"cveId": "CVE-2026-28193", "state": "PUBLISHED", "dateUpdated": "2026-02-26T14:44:06.777Z", "dateReserved": "2026-02-25T12:35:11.990Z", "assignerOrgId": "547ada31-17d8-4964-bc5f-1b8238ba8014", "datePublished": "2026-02-25T12:57:27.463Z", "assignerShortName": "JetBrains"}, "dataVersion": "5.2"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:jetbrains:youtrack:*:*:*:*:*:*:*:*", "matchCriteriaId": "E093C1C8-5FF8-409A-870F-B75FF2A0FACE", "versionEndExcluding": "2025.3.121962", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "In JetBrains YouTrack before 2025.3.121962 apps were able to send requests to the app permissions endpoint"}], "id": "CVE-2026-28193", "lastModified": "2026-02-26T15:59:53.567", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.8, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 5.9, "source": "cve@jetbrains.com", "type": "Secondary"}, {"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 5.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 1.4, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2026-02-25T14:16:20.597", "references": [{"source": "cve@jetbrains.com", "tags": ["Vendor Advisory"], "url": "https://www.jetbrains.com/privacy-security/issues-fixed/"}], "sourceIdentifier": "cve@jetbrains.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-862"}], "source": "cve@jetbrains.com", "type": "Primary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[0,2025.3.121962)"}}], "enrichment": {"confidence": 100.0, "confidence_source": "matching", "scores": [{"score": 100.0, "source": "matching"}]}, "original": {"product": "YouTrack", "source": "cna", "vendor": "JetBrains"}, "product": "youtrack", "vendor": "jetbrains"}], "analysis": {"en": {"generated_at": "2026-04-17T15:18:02.410761+00:00", "value": {"mitigation_remediation": ["Upgrade YouTrack to version 2025.3.121962 or later", "If an upgrade is not immediately possible, configure network or application controls to block or log unseen requests to the app permissions endpoint", "Enable auditing and monitoring of permission changes to detect unauthorized modifications promptly"], "summary": {"action": "Apply Patch", "impact": "Unauthorized Modification of App Permissions"}, "threat_synthesis": {"affected_systems": "JetBrains YouTrack prior to version 2025.3.121962 is affected. Users must verify that their installations fall below this version number.", "description_and_impact": "JetBrains YouTrack versions earlier than 2025.3.121962 allow applications to send requests to the app permissions endpoint without proper authorization. This flaw can enable an attacker who can influence or intercept app traffic to modify or expand application permissions, leading to privilege escalation within the YouTrack system or exposure of sensitive data. The weakness identified is a missing authorization control (CWE-862).", "risk_and_exploitability": "The vulnerability is rated high with a CVSS score of 8.8 and a very low EPSS score of less than 1 percent, indicating few publicly known exploitation efforts at this time. The CVE is not listed in CISA\u2019s KEV catalog. Based on the description, the likely attack vector is an internal or remote attacker able to send crafted HTTP requests to the permissions endpoint directly, possibly through a compromised application or an insider with access to the YouTrack API. The lack of authorization controls allows such requests to succeed, potentially granting elevated privileges or unauthorized data access."}}}}, "created": "2026-02-26T13:18:05.967896+00:00", "title": "Unauthorized Access to App Permissions in JetBrains YouTrack", "updated": "2026-04-17T15:30:06.016957+00:00", "vendors": ["jetbrains", "jetbrains$PRODUCT$youtrack"]}