Severity by source
AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:L/A:N
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:L/A:N
Lifecycle Timeline
2DescriptionCVE.org
In JetBrains TeamCity before 2026.1 remote code execution was possible via Perforce connection settings
AnalysisAI
Remote code execution in JetBrains TeamCity versions prior to 2026.1 is achievable by authenticated users who can configure Perforce connection settings on a build project. The flaw, classified as CWE-88 (argument injection), allows attackers with project configuration privileges to inject arguments through Perforce VCS root parameters, leading to command execution on the TeamCity server. …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | Exploitation requires (1) network access to the TeamCity web UI/API, (2) an authenticated account holding project-level permissions sufficient to create or edit a Perforce VCS root (PR:L per CVSS), and (3) the target TeamCity server running a version earlier than 2026.1 with Perforce VCS support available. … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | The CVSS 3.1 vector AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:L/A:N yields 7.1 (High) and reflects a network-reachable issue requiring low privileges and no user interaction, with high confidentiality impact and low integrity impact. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | An attacker who has obtained credentials for a TeamCity user with project configuration rights - for example via phishing a developer, reusing leaked CI credentials, or abusing an overly permissive default role - creates or edits a Perforce VCS root and injects malicious arguments into one of the Perforce connection fields. When TeamCity invokes the p4 client to validate or fetch from the configured server, the smuggled arguments cause arbitrary code or commands to be executed under the TeamCity server process context, giving the attacker a foothold on the CI server and access to build secrets, artifacts, and downstream deployment credentials. … |
| Remediation | Vendor-released patch: TeamCity 2026.1 - upgrade all TeamCity server installations to 2026.1 or later, following the standard upgrade procedure documented by JetBrains and consulting https://www.jetbrains.com/privacy-security/issues-fixed/ for advisory details. … Detailed patch versions, workarounds, and compensating controls in full report. |
Recommended ActionAI
Within 24 hours: Identify all TeamCity instances running versions prior to 2026.1; audit and document which users hold Perforce configuration privileges. …
Sign in for detailed remediation steps and compensating controls.
Threat intelligence, references, and detailed analysis are available after sign-in.
Authentication bypass in JetBrains TeamCity allows remote unauthenticated attackers to gain unauthorized access to serve
In JetBrains TeamCity before 2024.12.2 several DOM-based XSS were possible on the Code Inspection Report tab. Rated medi
In JetBrains TeamCity before 2024.12.2 improper Kubernetes connection settings could expose sensitive resources. Rated h
Information disclosure in JetBrains TeamCity prior to version 2026.1 allows authenticated low-privilege users to read se
Server-side request forgery in JetBrains TeamCity versions prior to 2026.1 and 2025.11.5 allows remote unauthenticated a
Reflected cross-site scripting in JetBrains TeamCity before version 2026.1.1 allows remote attackers to execute arbitrar
Credential exposure in JetBrains TeamCity before version 2026.1 allows authenticated remote attackers to retrieve sensit
Insufficient username validation in the SAML plugin of JetBrains TeamCity before 2026.1 allows unauthenticated remote at
Reflected cross-site scripting on the TeamCity repository download page allows a remote unauthenticated attacker to inje
In JetBrains TeamCity before 2025.03.3 reflected XSS on the favoriteIcon page was possible
In JetBrains TeamCity before 2025.03.3 a DOM-based XSS at the Performance Monitor page was possible
In JetBrains TeamCity before 2025.03.1 improper path validation in loggingPreset parameter was possible. Rated medium se
Share
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-33381
GHSA-hqxf-vmvp-qr3c