YouTrack
Powerful project management for all your teams
YouTrack Security Update: Upgrade Required for YouTrack Server
We’re sharing this update to inform YouTrack administrators about several security vulnerabilities that were recently identified and fixed in YouTrack.
For YouTrack Cloud users, this post is purely informational – YouTrack Cloud has already been patched and no action is required.
For YouTrack Server administrators, we recommend upgrading to one of the fixed versions listed below. Fixed builds are available for supported YouTrack Server versions starting from 2024.2. If your installation is running an earlier version, we recommend upgrading to YouTrack Server 2024.2 or newer.
We have found no evidence that any of these vulnerabilities were exploited outside of testing environments.
Please read on for the recommended actions.
Recommended action for YouTrack Server administrators
If you are running YouTrack Server, we strongly recommend upgrading to one of the following versions or newer:
2026.1.13757 for 2026.1 installations
2025.3.148033 for 2025.3 installations
2025.2.148048 for 2025.2 installations
2025.1.148120 for 2025.1 installations
2024.3.148430 for 2024.3 installations
2024.2.148429 for 2024.2 installations
If your installation is running a version earlier than 2024.2, we recommend upgrading to YouTrack Server 2024.2 or newer.
You can check your current version under Administration → Server Settings → Global Settings. To see which versions are available with your upgrade and support subscription, visit your JetBrains Account.
To upgrade your YouTrack version 2026.1, download the latest available version from the YouTrack download page, or choose a specific version on the previous versions page. For upgrade instructions, refer to the Installation and Upgrade documentation.
The vulnerabilities
In May 2026, independent researchers and the JetBrains team together identified several critical vulnerabilities via the Coordinated Disclosure Policy and internal security research activities.
As security research evolves through advances in automation and AI-assisted techniques, JetBrains continues to invest in vulnerability discovery, coordinated disclosure initiatives, and collaboration with the security community to help identify and address emerging risks.
Based on our internal investigation, the reports appear to have originated from advanced security research that leveraged AI-assisted testing techniques. The combination of extensive preparation, systematic analysis, and AI-assisted workflows likely enabled researchers to identify vulnerabilities in older areas of the codebase that had not been uncovered through previous security assessments.
The vulnerabilities affect YouTrack versions prior to the fixed releases listed above.
Two of the issues were relevant for YouTrack Cloud:
- An admin account takeover was possible through authentication token forgery (CVE-2026-56141).
- It was possible to bypass the email verification flow entirely (CVE-2026-56142).
YouTrack Server was affected by both issues listed above. In addition, an admin account takeover was possible via direct database access (CVE-2026-50242).
Mitigation
After receiving the reports, we patched YouTrack Cloud and prepared fixed builds for supported YouTrack Server versions starting from 2024.2.
We have found no evidence that any of the vulnerabilities were exploited outside of testing environments.
Security bulletin
A complete list of recently fixed security issues is available on the Fixed security issues page on the JetBrains website. You can also subscribe to receive email notifications about fixes in all JetBrains products.
Frequently asked questions
Which versions are affected?
The vulnerabilities affected YouTrack versions prior to the fixed releases listed in this post. Fixed Server builds are available for supported versions starting from 2024.2.
What should I do if my YouTrack Server version is older than 2024.2?
We recommend upgrading to YouTrack Server 2024.2 or newer.
Is YouTrack Cloud affected?
YouTrack Cloud was affected, but all Cloud instances have already been patched. We have found no evidence that any of the vulnerabilities were exploited outside of testing environments. No action is required from Cloud users.
Is YouTrack Server affected?
Yes. YouTrack Server is affected by all three vulnerabilities described in this post. Although we have found no evidence that any of the vulnerabilities were exploited outside of testing environments, we strongly recommend upgrading to a fixed version.
Was my data compromised?
We have found no evidence that any of the vulnerabilities were exploited outside of testing environments.
Support
If you have any questions regarding this issue, please get in touch with the YouTrack Support team.
Your YouTrack team
