CVE-2026-57926
YouTrack Analyse et atténuation des vulnérabilités

Aperçu

CVE-2026-57926 is a prototype pollution vulnerability in the websandbox bridge of JetBrains YouTrack, affecting all versions before 2026.2.16593. The flaw allows attackers to modify JavaScript object prototypes through malicious input, potentially altering application behavior at runtime. It was published on June 26, 2026, with a patch released in version 2026.2.16593. NVD assigns a CVSS v3.1 base score of 9.8 (Critical), while ENISA's EUVD rates it more conservatively at 2.6 (Low) with a higher-complexity vector, reflecting differing assessments of exploitability preconditions (JetBrains Advisory, Feedly).

Détails techniques

The vulnerability is classified as CWE-1321 (Improperly Controlled Modification of Object Prototype Attributes — 'Prototype Pollution'). The websandbox bridge in YouTrack fails to properly sanitize or restrict user-controlled input before it is used to set properties on JavaScript objects, allowing an attacker to inject keys such as __proto__ or constructor.prototype to modify shared object prototypes. This can cause downstream application logic to behave unexpectedly, as polluted prototype properties are inherited by all objects of that type. Exploitation requires an authenticated user with at least standard user privileges to send a crafted request through the websandbox bridge (Feedly, EUVD).

Impact

Successful exploitation allows an authenticated attacker to tamper with the application's runtime state by polluting JavaScript object prototypes, potentially modifying application behavior, bypassing logic checks, or corrupting data integrity. The primary impact is on integrity, with possible secondary effects on availability if critical application objects are corrupted. Confidentiality impact is assessed as low to none based on the ENISA scoring, though NVD's critical rating suggests potential for broader impact depending on how polluted properties are consumed by the application (Feedly, EUVD).

Étapes d’exploitation

  1. Authentication: Log in to a vulnerable JetBrains YouTrack instance (version < 2026.2.16593) with at least standard user credentials.
  2. Identify the websandbox bridge: Locate functionality within YouTrack that processes user-supplied input through the websandbox bridge (e.g., custom workflow scripts, widget configurations, or similar sandboxed JavaScript execution contexts).
  3. Craft a prototype pollution payload: Construct a malicious input containing a prototype-polluting key, such as {"__proto__": {"pollutedKey": "maliciousValue"}} or equivalent nested object notation targeting constructor.prototype.
  4. Submit the crafted request: Send the payload via the relevant YouTrack UI or API endpoint that passes input to the websandbox bridge without adequate sanitization.
  5. Observe prototype pollution: Verify that the injected property is now present on base JavaScript objects within the application context, potentially altering application logic, bypassing access checks, or causing unexpected behavior (Feedly, EUVD).

Indicateurs de compromis

  • Logs: Unusual or malformed JSON payloads in YouTrack application logs containing keys such as __proto__, constructor, or prototype submitted via API or UI endpoints associated with the websandbox bridge.
  • Application Behavior: Unexpected changes in application logic, access control decisions, or property values that cannot be explained by normal configuration changes — potentially indicating polluted prototype properties.
  • Network: Authenticated HTTP requests to YouTrack endpoints handling workflow scripts or widget configurations with anomalous nested object structures in request bodies.

Atténuation et solutions de contournement

JetBrains has released a fix in YouTrack version 2026.2.16593; upgrading to this version or later is the recommended remediation (JetBrains Advisory). As a workaround prior to patching, restrict access to YouTrack instances to trusted and necessary users only, and implement input validation and sanitization for all user inputs processed by the websandbox bridge. Monitor for suspicious activity patterns that may indicate attempted prototype pollution exploits.

Réactions de la communauté

The vulnerability received standard automated coverage across vulnerability tracking platforms including Vulners, CVEFeed, VulDB, and Tenable's plugin pipeline shortly after disclosure (Tenable). A Bluesky post from a CVE tracking account noted the disclosure. No notable independent researcher commentary, vendor blog posts, or significant media coverage has been identified beyond routine aggregation.

Ressources additionnelles


SourceCe rapport a été généré à l’aide de l’IA

Apparenté YouTrack Vulnérabilités:

Identifiant CVE

Sévérité

Score

Technologies

Nom du composant

Exploit CISA KEV

A corrigé

Date de publication

CVE-2026-57926CRITICAL9.8
  • YouTrack logoYouTrack
  • cpe:2.3:a:jetbrains:youtrack
NonOuiJun 26, 2026
CVE-2026-57923HIGH7.5
  • YouTrack logoYouTrack
  • cpe:2.3:a:jetbrains:youtrack
NonOuiJun 26, 2026
CVE-2026-57925MEDIUM5.3
  • YouTrack logoYouTrack
  • youtrack
NonOuiJun 26, 2026
CVE-2026-57924MEDIUM5.3
  • YouTrack logoYouTrack
  • cpe:2.3:a:jetbrains:youtrack
NonOuiJun 26, 2026
CVE-2026-57922MEDIUM5.3
  • YouTrack logoYouTrack
  • cpe:2.3:a:jetbrains:youtrack
NonOuiJun 26, 2026

Évaluation gratuite des vulnérabilités

Évaluez votre posture de sécurité dans le cloud

Évaluez vos pratiques de sécurité cloud dans 9 domaines de sécurité pour évaluer votre niveau de risque et identifier les failles dans vos défenses.

Demander une évaluation

Obtenez une démo personnalisée

Prêt(e) à voir Wiz en action ?

"La meilleure expérience utilisateur que j’ai jamais vue, offre une visibilité totale sur les workloads cloud."
David EstlickRSSI
"Wiz fournit une interface unique pour voir ce qui se passe dans nos environnements cloud."
Adam FletcherChef du service de sécurité
"Nous savons que si Wiz identifie quelque chose comme critique, c’est qu’il l’est réellement."
Greg PoniatowskiResponsable de la gestion des menaces et des vulnérabilités