Skip to main content

JetBrains TeamCity CVE-2026-49381

| EUVDEUVD-2026-33389 LOW
Cross-site Scripting (XSS) (CWE-79)
2026-05-29 JetBrains GHSA-mhr7-j6qx-58mw
3.4
CVSS 3.1 · NVD

Severity by source

NVD PRIMARY
3.4 LOW
AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:N/A:N

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:N/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
High
User Interaction
Required
Scope
Changed
Confidentiality
Low
Integrity
None
Availability
None

Lifecycle Timeline

2
Patch available
May 29, 2026 - 20:02 EUVD
Analysis Generated
May 29, 2026 - 18:57 vuln.today

DescriptionCVE.org

In JetBrains TeamCity before 2026.1 stored XSS on the SAML login page was possible

AnalysisAI

Stored cross-site scripting in JetBrains TeamCity's SAML login page allows a high-privileged attacker to inject persistent malicious scripts that execute in victims' browsers upon visiting the login page. All TeamCity versions prior to 2026.1 are affected. The changed scope (S:C) in the CVSS vector indicates the injected payload can affect browser sessions beyond the immediate component, though confidentiality impact is rated low and no integrity or availability loss is assessed. No public exploit code and no CISA KEV listing have been identified at time of analysis.

Technical ContextAI

The vulnerability is classified under CWE-79 (Improper Neutralization of Input During Web Page Generation - Cross-site Scripting), specifically the stored (persistent) variant. JetBrains TeamCity is a CI/CD platform; its SAML login page facilitates federated authentication via Security Assertion Markup Language, commonly used in enterprise SSO configurations. The affected CPE is cpe:2.3:a:jetbrains:teamcity:*:*:*:*:*:*:*:*, encompassing all platform variants before 2026.1. Stored XSS on an authentication page is particularly sensitive because the login page is visited by all users relying on SAML SSO, and injected payloads persist server-side, executing for every subsequent visitor without further attacker interaction after initial injection.

RemediationAI

Upgrade JetBrains TeamCity to version 2026.1 or later, which contains the vendor-released patch for this stored XSS on the SAML login page. The fix is confirmed by JetBrains at https://www.jetbrains.com/privacy-security/issues-fixed/. As a compensating control for organizations unable to patch immediately, restricting admin-level access to the minimum necessary set of trusted accounts reduces the attacker surface significantly, since exploitation requires PR:H (high privileges). Additionally, if SAML SSO is not in active use, disabling the SAML login page configuration eliminates exposure entirely for that deployment, though this would impact SSO-dependent users. Organizations should audit admin account activity for any unexpected changes to SAML-related configuration.

CVE-2024-27198 CRITICAL POC
9.8 Mar 04

In JetBrains TeamCity before 2023.11.4 authentication bypass allowing to perform admin actions was possible. Rated criti

CVE-2023-42793 CRITICAL POC
9.8 Sep 19

In JetBrains TeamCity before 2023.05.4 authentication bypass leading to RCE on TeamCity Server was possible. Rated criti

CVE-2024-23917 CRITICAL POC
9.8 Feb 06

In JetBrains TeamCity before 2023.11.3 authentication bypass leading to RCE was possible. Rated critical severity (CVSS

CVE-2024-41827 CRITICAL
9.8 Jul 22

In JetBrains TeamCity before 2024.07 access tokens could continue working after deletion or expiration. Rated critical s

CVE-2024-36470 CRITICAL
9.8 May 29

In JetBrains TeamCity before 2022.04.7, 2022.10.6, 2023.05.6, 2023.11.5 authentication bypass was possible in specific e

CVE-2023-34218 CRITICAL
9.8 May 31

In JetBrains TeamCity before 2023.05 bypass of permission checks allowing to perform admin actions was possible. Rated c

CVE-2022-25263 CRITICAL
9.8 Feb 25

JetBrains TeamCity before 2021.2.3 was vulnerable to OS command injection in the Agent Push feature configuration. Rated

CVE-2022-24340 CRITICAL
9.8 Feb 25

In JetBrains TeamCity before 2021.2.1, XXE during the parsing of the configuration file was possible. Rated critical sev

CVE-2022-24331 CRITICAL
9.8 Feb 25

In JetBrains TeamCity before 2021.1.4, GitLab authentication impersonation was possible. Rated critical severity (CVSS 9

CVE-2021-43202 CRITICAL
9.8 Nov 30

In JetBrains TeamCity before 2021.1.3, the X-Frame-Options header is missing in some cases. Rated critical severity (CVS

CVE-2021-43200 CRITICAL
9.8 Nov 09

In JetBrains TeamCity before 2021.1.2, permission checks in the Agent Push functionality were insufficient. Rated critic

CVE-2021-43193 CRITICAL
9.8 Nov 09

In JetBrains TeamCity before 2021.1.2, remote code execution via the agent push functionality is possible. Rated critica

Share

CVE-2026-49381 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy