Cyber Posture

CVE-2026-28193

High

Published: 25 February 2026

Published
25 February 2026
Modified
26 February 2026
KEV Added
Patch
CVSS Score 8.8 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.0000 0.0th percentile
Risk Priority 18 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2026-28193 is a high-severity Missing Authorization (CWE-862) vulnerability in Jetbrains Youtrack. Its CVSS base score is 8.8 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploitation for Privilege Escalation (T1068); ranked at the 0.0th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 AC-3 (Access Enforcement) and SI-2 (Flaw Remediation).

Threat & Defense at a Glance

What attackers do: exploitation maps to Exploitation for Privilege Escalation (T1068). What defenders deploy: see the NIST 800-53 controls recommended below.
Threat & Defense Details

Mitigating Controls (NIST 800-53 r5)AI

AC-3 Access Enforcement good match
prevent

Directly requires enforcement of approved authorizations for access to sensitive endpoints like app permissions, preventing unauthorized requests from low-privileged users or apps.

AC-6 Least Privilege partial match
prevent

Implements least privilege to restrict low-privileged users from accessing or manipulating app permissions, addressing exploitation potential even if enforcement gaps exist.

SI-2 Flaw Remediation good match
prevent

Requires identification, reporting, and correction of flaws like this missing authorization vulnerability via timely patching to YouTrack 2025.3.121962.

MITRE ATT&CK Enterprise TechniquesAI

T1068 Exploitation for Privilege Escalation Privilege Escalation
Adversaries may exploit software vulnerabilities in an attempt to elevate privileges.
attack.mitre.org →
Why these techniques?

Missing authorization (CWE-862) in public-facing YouTrack app allows low-priv authenticated user to bypass controls and modify app permissions, directly enabling privilege escalation to full system compromise.

Confidence: HIGH · MITRE ATT&CK Enterprise v18.1

NVD Description

In JetBrains YouTrack before 2025.3.121962 apps were able to send requests to the app permissions endpoint

Deeper analysisAI

CVE-2026-28193 is a missing authorization vulnerability (CWE-862) affecting JetBrains YouTrack versions before 2025.3.121962. The issue allows apps to send requests to the app permissions endpoint, bypassing expected access controls. Published on 2026-02-25 with a CVSS v3.1 base score of 8.8 (AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H), it represents a high-severity flaw in the issue tracking and project management platform.

A low-privileged authenticated user (PR:L) with network access can exploit this vulnerability with low complexity and no user interaction required. Successful exploitation enables high-impact compromise of confidentiality, integrity, and availability, potentially allowing unauthorized manipulation of app permissions and broader system control within the affected YouTrack instance.

JetBrains has issued a patch in YouTrack version 2025.3.121962 to address this vulnerability. Security practitioners should consult the official advisory at https://www.jetbrains.com/privacy-security/issues-fixed/ for mitigation details and upgrade instructions.

Details

CWE(s)
CWE-862

Affected Products

jetbrains
youtrack
≤ 2025.3.121962

CVEs Like This One

CVE-2026-33392Same product: Jetbrains Youtrack
CVE-2025-24458Same product: Jetbrains Youtrack
CVE-2025-23385Same vendor: Jetbrains
CVE-2025-24456Same vendor: Jetbrains
CVE-2025-48574Shared CWE-862
CVE-2024-57726Shared CWE-862
CVE-2024-55073Shared CWE-862
CVE-2025-24734Shared CWE-862
CVE-2025-48578Shared CWE-862
CVE-2025-7695Shared CWE-862

References