Cyber Resilience

CVE-2026-28193

High

Published: 25 February 2026

Published
25 February 2026
Modified
26 February 2026
KEV Added
Patch
CVSS Score v3.1 8.8 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.0024 14.7th percentile
Risk Priority 55 floored blend · peak EPSS

Summary

CVE-2026-28193 is a high-severity Missing Authorization (CWE-862) vulnerability in Jetbrains Youtrack. Its CVSS base score is 8.8 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploitation for Privilege Escalation (T1068); ranked at the 14.7th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 AC-3 (Access Enforcement) and SI-2 (Flaw Remediation).

Deeper analysis

CVE-2026-28193 is a missing authorization vulnerability (CWE-862) affecting JetBrains YouTrack versions before 2025.3.121962. The issue allows apps to send requests to the app permissions endpoint, bypassing expected access controls. Published on 2026-02-25 with a CVSS v3.1 base score of 8.8 (AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H), it represents a high-severity flaw in the issue tracking and project management platform.

A low-privileged authenticated user (PR:L) with network access can exploit this vulnerability with low complexity and no user interaction required. Successful exploitation enables high-impact compromise of confidentiality, integrity, and availability, potentially allowing unauthorized manipulation of app permissions and broader system control within the affected YouTrack instance.

JetBrains has issued a patch in YouTrack version 2025.3.121962 to address this vulnerability. Security practitioners should consult the official advisory at https://www.jetbrains.com/privacy-security/issues-fixed/ for mitigation details and upgrade instructions.

OWASP Top 10 for Web (2025)

EU & UK References

Vulnerability details

In JetBrains YouTrack before 2025.3.121962 apps were able to send requests to the app permissions endpoint

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1068 Exploitation for Privilege Escalation Privilege Escalation
Adversaries may exploit software vulnerabilities in an attempt to elevate privileges.
Why these techniques?

Missing authorization (CWE-862) in public-facing YouTrack app allows low-priv authenticated user to bypass controls and modify app permissions, directly enabling privilege escalation to full system compromise.

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

CVEs Like This One

CVE-2026-33392Same product: Jetbrains Youtrack
CVE-2025-24458Same product: Jetbrains Youtrack
CVE-2025-24456Same vendor: Jetbrains
CVE-2025-23385Same vendor: Jetbrains
CVE-2026-32658Shared CWE-862
CVE-2026-6506Shared CWE-862
CVE-2025-48574Shared CWE-862
CVE-2025-21396Shared CWE-862
CVE-2021-47701Shared CWE-862
CVE-2026-40349Shared CWE-862

Affected Assets

jetbrains
youtrack
≤ 2025.3.121962

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly requires enforcement of approved authorizations for access to sensitive endpoints like app permissions, preventing unauthorized requests from low-privileged users or apps.

prevent

Implements least privilege to restrict low-privileged users from accessing or manipulating app permissions, addressing exploitation potential even if enforcement gaps exist.

prevent

Requires identification, reporting, and correction of flaws like this missing authorization vulnerability via timely patching to YouTrack 2025.3.121962.

References