Skip to main content

JetBrains TeamCity CVE-2026-49378

| EUVDEUVD-2026-33386 MEDIUM
Missing Authorization (CWE-862)
2026-05-29 JetBrains GHSA-pg2h-77h8-9m6v
4.3
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
4.3 MEDIUM
AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
Low
Integrity
None
Availability
None

Lifecycle Timeline

2
Patch available
May 29, 2026 - 20:02 EUVD
Analysis Generated
May 29, 2026 - 18:57 vuln.today

DescriptionCVE.org

In JetBrains TeamCity before 2026.1 credentials parameters were exposed via parameter autocompletion

AnalysisAI

Credential parameter exposure in JetBrains TeamCity before version 2026.1 allows authenticated low-privilege users to access sensitive credential values through the parameter autocompletion feature. Rooted in CWE-862 (Missing Authorization), the autocompletion endpoint fails to enforce proper access controls before surfacing credential parameters, potentially leaking secrets such as passwords, tokens, or API keys stored in build configurations. No public exploit code exists and this vulnerability is not listed in CISA KEV, but the low attack complexity and network accessibility make it a meaningful lateral movement or privilege escalation risk in multi-tenant CI/CD environments.

Technical ContextAI

JetBrains TeamCity is a CI/CD platform that supports parameterized build configurations, including credential-type parameters for storing secrets used in pipelines. The autocompletion feature assists users in referencing parameter names during configuration; however, the underlying endpoint governed by CWE-862 (Missing Authorization) does not correctly enforce access controls, inadvertently returning values - not just names - of credential parameters to users who lack explicit read authorization. The affected scope covers all TeamCity installations matching CPE cpe:2.3:a:jetbrains:teamcity:*:*:*:*:*:*:*:* prior to the 2026.1 release. The CVSS vector (AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N) confirms the issue is network-exploitable with low complexity and requires only low-privilege authentication, with confidentiality impact limited to partial disclosure.

RemediationAI

The primary fix is to upgrade JetBrains TeamCity to version 2026.1 or later, which resolves the missing authorization check on the parameter autocompletion endpoint. The JetBrains security advisory at https://www.jetbrains.com/privacy-security/issues-fixed/ confirms this as the vendor-released patch. If immediate upgrade is not possible, administrators should audit and restrict which users have access to build configurations containing credential parameters, minimizing the pool of low-privilege accounts that could trigger autocompletion. Additionally, consider rotating any credential parameters stored in TeamCity as a precaution, particularly those used in privileged or production pipeline steps, since exposure via autocompletion may have occurred prior to detection. Note that restricting user roles as a workaround reduces functionality for legitimate users who need build configuration access.

CVE-2024-27198 CRITICAL POC
9.8 Mar 04

In JetBrains TeamCity before 2023.11.4 authentication bypass allowing to perform admin actions was possible. Rated criti

CVE-2023-42793 CRITICAL POC
9.8 Sep 19

In JetBrains TeamCity before 2023.05.4 authentication bypass leading to RCE on TeamCity Server was possible. Rated criti

CVE-2024-23917 CRITICAL POC
9.8 Feb 06

In JetBrains TeamCity before 2023.11.3 authentication bypass leading to RCE was possible. Rated critical severity (CVSS

CVE-2024-41827 CRITICAL
9.8 Jul 22

In JetBrains TeamCity before 2024.07 access tokens could continue working after deletion or expiration. Rated critical s

CVE-2024-36470 CRITICAL
9.8 May 29

In JetBrains TeamCity before 2022.04.7, 2022.10.6, 2023.05.6, 2023.11.5 authentication bypass was possible in specific e

CVE-2023-34218 CRITICAL
9.8 May 31

In JetBrains TeamCity before 2023.05 bypass of permission checks allowing to perform admin actions was possible. Rated c

CVE-2022-25263 CRITICAL
9.8 Feb 25

JetBrains TeamCity before 2021.2.3 was vulnerable to OS command injection in the Agent Push feature configuration. Rated

CVE-2022-24340 CRITICAL
9.8 Feb 25

In JetBrains TeamCity before 2021.2.1, XXE during the parsing of the configuration file was possible. Rated critical sev

CVE-2022-24331 CRITICAL
9.8 Feb 25

In JetBrains TeamCity before 2021.1.4, GitLab authentication impersonation was possible. Rated critical severity (CVSS 9

CVE-2021-43202 CRITICAL
9.8 Nov 30

In JetBrains TeamCity before 2021.1.3, the X-Frame-Options header is missing in some cases. Rated critical severity (CVS

CVE-2021-43200 CRITICAL
9.8 Nov 09

In JetBrains TeamCity before 2021.1.2, permission checks in the Agent Push functionality were insufficient. Rated critic

CVE-2021-43193 CRITICAL
9.8 Nov 09

In JetBrains TeamCity before 2021.1.2, remote code execution via the agent push functionality is possible. Rated critica

Share

CVE-2026-49378 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy