Skip to main content

Teamcity CVE-2026-59793

| EUVDEUVD-2026-42911 HIGH
External Control of File Name or Path (CWE-73)
2026-07-10 JetBrains GHSA-j8x6-f4hm-gpqh
8.8
CVSS 3.1 · Vendor: JetBrains
Share

Severity by source

Vendor (JetBrains) PRIMARY
8.8 HIGH
AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Primary rating from Vendor (JetBrains) · only source for this CVE.

CVSS VectorVendor: JetBrains

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

2
Patch available
Jul 10, 2026 - 16:16 EUVD
Analysis Generated
Jul 10, 2026 - 15:41 vuln.today

DescriptionCVE.org

In JetBrains TeamCity before 2026.1.2 arbitrary file access was possible via the Perforce VCS integration

AnalysisAI

Arbitrary file access in JetBrains TeamCity before 2026.1.2 lets an authenticated user abuse the Perforce (P4) VCS integration to read files outside intended boundaries on the TeamCity server host. The flaw (CWE-73, external control of file name or path) was self-reported by JetBrains and is fixed in 2026.1.2; no public exploit identified at time of analysis, and it is not listed in CISA KEV. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Recommended ActionAI

24 hours: Inventory all TeamCity instances and current versions; audit users with Perforce VCS root creation permissions and restrict where possible. …

Sign in for detailed remediation steps and compensating controls.

Threat intelligence, references, and detailed analysis are available after sign-in.

CVE-2024-27198 CRITICAL POC
9.8 Mar 04

In JetBrains TeamCity before 2023.11.4 authentication bypass allowing to perform admin actions was possible. Rated criti

CVE-2023-42793 CRITICAL POC
9.8 Sep 19

In JetBrains TeamCity before 2023.05.4 authentication bypass leading to RCE on TeamCity Server was possible. Rated criti

CVE-2024-23917 CRITICAL POC
9.8 Feb 06

In JetBrains TeamCity before 2023.11.3 authentication bypass leading to RCE was possible. Rated critical severity (CVSS

CVE-2024-41827 CRITICAL
9.8 Jul 22

In JetBrains TeamCity before 2024.07 access tokens could continue working after deletion or expiration. Rated critical s

CVE-2024-36470 CRITICAL
9.8 May 29

In JetBrains TeamCity before 2022.04.7, 2022.10.6, 2023.05.6, 2023.11.5 authentication bypass was possible in specific e

CVE-2023-34218 CRITICAL
9.8 May 31

In JetBrains TeamCity before 2023.05 bypass of permission checks allowing to perform admin actions was possible. Rated c

CVE-2022-25263 CRITICAL
9.8 Feb 25

JetBrains TeamCity before 2021.2.3 was vulnerable to OS command injection in the Agent Push feature configuration. Rated

CVE-2022-24340 CRITICAL
9.8 Feb 25

In JetBrains TeamCity before 2021.2.1, XXE during the parsing of the configuration file was possible. Rated critical sev

CVE-2022-24331 CRITICAL
9.8 Feb 25

In JetBrains TeamCity before 2021.1.4, GitLab authentication impersonation was possible. Rated critical severity (CVSS 9

CVE-2021-43202 CRITICAL
9.8 Nov 30

In JetBrains TeamCity before 2021.1.3, the X-Frame-Options header is missing in some cases. Rated critical severity (CVS

CVE-2021-43200 CRITICAL
9.8 Nov 09

In JetBrains TeamCity before 2021.1.2, permission checks in the Agent Push functionality were insufficient. Rated critic

CVE-2021-43193 CRITICAL
9.8 Nov 09

In JetBrains TeamCity before 2021.1.2, remote code execution via the agent push functionality is possible. Rated critica

Share

CVE-2026-59793 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy