CVE-2025-47850 is a medium-severity vulnerability identified in JetBrains YouTrack, a popular issue tracking and project management tool widely used in software development and IT teams. The vulnerability is classified under CWE-306, which refers to 'Missing Authentication for Critical Function.' Specifically, this flaw allows restricted attachments—files that should only be visible to authorized users—to become visible after an issue cloning operation. In other words, when a user clones an issue within YouTrack, attachments that were originally access-restricted may inadvertently be exposed to users who should not have permission to view them. This issue affects versions of YouTrack prior to 2025.1.74704. The CVSS v3.1 base score is 4.3 (medium), with the vector indicating that the attack can be performed remotely over the network (AV:N), requires low attack complexity (AC:L), requires privileges (PR:L), does not require user interaction (UI:N), and impacts confidentiality only (C:L) without affecting integrity or availability. No known exploits are currently reported in the wild. The vulnerability arises due to insufficient enforcement of access control checks during the cloning process, leading to unauthorized disclosure of sensitive attachments. This can result in leakage of confidential information such as proprietary documents, internal reports, or personally identifiable information embedded in attachments.

For European organizations, the impact of this vulnerability can be significant, especially for those relying on YouTrack for managing sensitive projects, including software development, compliance tracking, or internal audits. Unauthorized exposure of restricted attachments could lead to data breaches involving intellectual property, customer data, or regulatory information. This could result in reputational damage, legal liabilities under GDPR and other data protection laws, and potential financial penalties. Since the vulnerability only affects confidentiality and does not impact integrity or availability, the primary risk is information disclosure. However, given that YouTrack is often integrated into broader development pipelines and used by cross-functional teams, the leakage of restricted attachments could facilitate further attacks or insider threats. The requirement for low privileges to exploit means that any user with limited access could potentially escalate their visibility to sensitive attachments, increasing the risk from insider threats or compromised accounts.

To mitigate this vulnerability, European organizations should promptly update JetBrains YouTrack to version 2025.1.74704 or later, where the issue has been addressed. Until patching is possible, organizations should review and tighten access control policies around issue cloning operations, restricting cloning permissions to trusted users only. Administrators should audit existing cloned issues to identify any unauthorized exposure of attachments and remove or reclassify them as necessary. Implementing strict role-based access controls (RBAC) and monitoring cloning activities through audit logs can help detect and prevent misuse. Additionally, organizations should educate users about the risks of cloning issues containing sensitive attachments and encourage verification of attachment visibility post-cloning. Network segmentation and limiting YouTrack access to internal or VPN-only users can reduce exposure. Finally, integrating Data Loss Prevention (DLP) tools to monitor attachment sharing and usage within YouTrack can provide an additional layer of protection.