Severity by source
AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
Lifecycle Timeline
3DescriptionCVE.org
In JetBrains TeamCity before 2026.1, 2025.11.5 unauthenticated SSRF via build status was possible
AnalysisAI
Server-side request forgery in JetBrains TeamCity versions prior to 2026.1 and 2025.11.5 allows remote unauthenticated attackers to coerce the build server into issuing arbitrary outbound HTTP requests through the build status functionality. The CVSS 7.5 score (C:H/I:N/A:N) reflects high-impact disclosure of internal data without integrity or availability effects, and no public exploit is identified at time of analysis.
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | Exploitation requires network reachability to the TeamCity Server's HTTP interface and the ability to issue requests to its build status functionality; per CVSS PR:N/UI:N, no authentication and no user interaction are needed. … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | The CVSS vector AV:N/AC:L/PR:N/UI:N indicates a network-reachable, low-complexity, unauthenticated attack with no user interaction - a textbook profile for opportunistic mass exploitation against internet-exposed TeamCity instances. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | An external attacker scans the internet for exposed TeamCity servers and sends an unauthenticated HTTP request to the build status surface with a crafted target URL pointing at the cloud provider's instance metadata service. The TeamCity server fetches the URL with its own network identity and returns the response content to the attacker, exposing temporary IAM credentials or internal-only admin endpoints. … |
| Remediation | Vendor-released patch: upgrade TeamCity Server to 2026.1 or to 2025.11.5 on the LTS-style 2025.11 maintenance branch, per the JetBrains issues-fixed page at https://www.jetbrains.com/privacy-security/issues-fixed/. … Detailed patch versions, workarounds, and compensating controls in full report. |
Recommended ActionAI
Within 24 hours: inventory all TeamCity deployments and document current versions; assess network exposure and access controls for each instance. …
Sign in for detailed remediation steps and compensating controls.
Threat intelligence, references, and detailed analysis are available after sign-in.
Authentication bypass in JetBrains TeamCity allows remote unauthenticated attackers to gain unauthorized access to serve
In JetBrains TeamCity before 2024.12.2 several DOM-based XSS were possible on the Code Inspection Report tab. Rated medi
In JetBrains TeamCity before 2024.12.2 improper Kubernetes connection settings could expose sensitive resources. Rated h
Information disclosure in JetBrains TeamCity prior to version 2026.1 allows authenticated low-privilege users to read se
Reflected cross-site scripting in JetBrains TeamCity before version 2026.1.1 allows remote attackers to execute arbitrar
Remote code execution in JetBrains TeamCity versions prior to 2026.1 is achievable by authenticated users who can config
Credential exposure in JetBrains TeamCity before version 2026.1 allows authenticated remote attackers to retrieve sensit
Insufficient username validation in the SAML plugin of JetBrains TeamCity before 2026.1 allows unauthenticated remote at
Reflected cross-site scripting on the TeamCity repository download page allows a remote unauthenticated attacker to inje
In JetBrains TeamCity before 2025.03.3 reflected XSS on the favoriteIcon page was possible
In JetBrains TeamCity before 2025.03.3 a DOM-based XSS at the Performance Monitor page was possible
In JetBrains TeamCity before 2025.03.1 improper path validation in loggingPreset parameter was possible. Rated medium se
Same weakness CWE-918 – Server-Side Request Forgery (SSRF)
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-33380
GHSA-62q7-rxv8-hw8r