◈ AI Security Intelligence ← Daily feed
Vulnerability  ·  2026-06-28

JetBrains YouTrack MCP — Project Settings Disclosure via MCP Endpoint (CVSS 3.1)

VulnerabilityLow impactGlobalCVE-2026-57922
What happened
CVE-2026-57922 (CVSS 3.1 Low) was published 2026-06-26. In JetBrains YouTrack before 2026.2.16593, project settings could be disclosed via the MCP server. Fixed in 2026.2.16593.
Why it matters
As issue trackers like YouTrack add MCP interfaces to enable AI agents to query and update tickets, MCP endpoints become new data-disclosure surfaces. Even low-severity information disclosure from an MCP endpoint can feed reconnaissance for further attacks on AI-integrated development workflows.
Attack vector
The YouTrack MCP server exposes project settings information through the MCP endpoint without adequate access controls. An attacker with MCP endpoint access can read project configuration data that should be restricted.
Affected systems
JetBrains YouTrack < 2026.2.16593
Mitigation
Upgrade to YouTrack ≥ 2026.2.16593. Advisory: https://www.jetbrains.com/privacy-security/issues-fixed/
Sources
NVD CVE-2026-57922JetBrains Security Issues Fixed
See this in the live feed Explore related AI security and governance findings — updated every morning.
Open the feed →