Severity by source
AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N
Lifecycle Timeline
2DescriptionCVE.org
In JetBrains TeamCity before 2026.1 credentials parameters were exposed via parameter autocompletion
AnalysisAI
Credential parameter exposure in JetBrains TeamCity before version 2026.1 allows authenticated low-privilege users to access sensitive credential values through the parameter autocompletion feature. Rooted in CWE-862 (Missing Authorization), the autocompletion endpoint fails to enforce proper access controls before surfacing credential parameters, potentially leaking secrets such as passwords, tokens, or API keys stored in build configurations. No public exploit code exists and this vulnerability is not listed in CISA KEV, but the low attack complexity and network accessibility make it a meaningful lateral movement or privilege escalation risk in multi-tenant CI/CD environments.
Technical ContextAI
JetBrains TeamCity is a CI/CD platform that supports parameterized build configurations, including credential-type parameters for storing secrets used in pipelines. The autocompletion feature assists users in referencing parameter names during configuration; however, the underlying endpoint governed by CWE-862 (Missing Authorization) does not correctly enforce access controls, inadvertently returning values - not just names - of credential parameters to users who lack explicit read authorization. The affected scope covers all TeamCity installations matching CPE cpe:2.3:a:jetbrains:teamcity:*:*:*:*:*:*:*:* prior to the 2026.1 release. The CVSS vector (AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N) confirms the issue is network-exploitable with low complexity and requires only low-privilege authentication, with confidentiality impact limited to partial disclosure.
RemediationAI
The primary fix is to upgrade JetBrains TeamCity to version 2026.1 or later, which resolves the missing authorization check on the parameter autocompletion endpoint. The JetBrains security advisory at https://www.jetbrains.com/privacy-security/issues-fixed/ confirms this as the vendor-released patch. If immediate upgrade is not possible, administrators should audit and restrict which users have access to build configurations containing credential parameters, minimizing the pool of low-privilege accounts that could trigger autocompletion. Additionally, consider rotating any credential parameters stored in TeamCity as a precaution, particularly those used in privileged or production pipeline steps, since exposure via autocompletion may have occurred prior to detection. Note that restricting user roles as a workaround reduces functionality for legitimate users who need build configuration access.
In JetBrains TeamCity before 2023.11.4 authentication bypass allowing to perform admin actions was possible. Rated criti
In JetBrains TeamCity before 2023.05.4 authentication bypass leading to RCE on TeamCity Server was possible. Rated criti
In JetBrains TeamCity before 2023.11.3 authentication bypass leading to RCE was possible. Rated critical severity (CVSS
In JetBrains TeamCity before 2024.07 access tokens could continue working after deletion or expiration. Rated critical s
In JetBrains TeamCity before 2022.04.7, 2022.10.6, 2023.05.6, 2023.11.5 authentication bypass was possible in specific e
In JetBrains TeamCity before 2023.05 bypass of permission checks allowing to perform admin actions was possible. Rated c
JetBrains TeamCity before 2021.2.3 was vulnerable to OS command injection in the Agent Push feature configuration. Rated
In JetBrains TeamCity before 2021.2.1, XXE during the parsing of the configuration file was possible. Rated critical sev
In JetBrains TeamCity before 2021.1.4, GitLab authentication impersonation was possible. Rated critical severity (CVSS 9
In JetBrains TeamCity before 2021.1.3, the X-Frame-Options header is missing in some cases. Rated critical severity (CVS
In JetBrains TeamCity before 2021.1.2, permission checks in the Agent Push functionality were insufficient. Rated critic
In JetBrains TeamCity before 2021.1.2, remote code execution via the agent push functionality is possible. Rated critica
Same weakness CWE-862 – Missing Authorization
View allSame technique Authentication Bypass
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-33386
GHSA-pg2h-77h8-9m6v