Skip to main content

JetBrains TeamCity EUVDEUVD-2026-33382

| CVE-2026-49374 HIGH
Missing Authorization (CWE-862)
2026-05-29 JetBrains GHSA-pqrm-v5f6-j44f
7.6
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
7.6 HIGH
AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:L/A:L

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:L/A:L
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
Low
Availability
Low

Lifecycle Timeline

3
Patch available
May 29, 2026 - 20:02 EUVD
Analysis Generated
May 29, 2026 - 18:51 vuln.today
CVE Published
May 29, 2026 - 18:15 nvd
HIGH 7.6

DescriptionCVE.org

In JetBrains TeamCity before 2026.1 improper permission checks exposed build configuration parameters

AnalysisAI

Information disclosure in JetBrains TeamCity prior to version 2026.1 allows authenticated low-privilege users to read sensitive build configuration parameters they should not have access to due to missing authorization checks. The flaw carries a CVSS 7.6 score driven by high confidentiality impact on a network-reachable CI/CD server, though no public exploit identified at time of analysis. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Obtain low-privileged TeamCity account
Delivery
Reach TeamCity web/API endpoint
Exploit
Request parameters of out-of-scope build config
Execution
Server skips authorization check
Persist
Receive sensitive build parameters
Impact
Reuse leaked secrets against downstream systems

Vulnerability AssessmentAI

Exploitation Attacker must hold a valid authenticated TeamCity account with at least low-privilege access (PR:L in the CVSS vector), so the server must be reachable by the attacker and they must possess or obtain working credentials - for example a developer, contractor, build-agent service account, or any role created via SSO/LDAP that grants basic TeamCity login. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The CVSS vector AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:L/A:L describes a remote, low-complexity attack requiring only low privileges and no user interaction, which is realistic for a multi-tenant CI server where many developers, contractors, and service accounts hold basic project-viewer roles. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario A contractor or compromised developer account with only a basic project-viewer role on one team's project authenticates to the TeamCity REST API and issues a parameter-enumeration request against a build configuration belonging to a different, higher-privileged project. Because the authorization check is missing, the server returns the parameter values - including deployment credentials and cloud API tokens - which the attacker then uses to pivot into production infrastructure outside TeamCity. …
Remediation Vendor-released patch: TeamCity 2026.1 - upgrade on-premises servers to 2026.1 or later as the primary fix, following the JetBrains upgrade guidance referenced from https://www.jetbrains.com/privacy-security/issues-fixed/. … Detailed patch versions, workarounds, and compensating controls in full report.

Recommended ActionAI

Within 24 hours: Audit all credentials currently stored in TeamCity build configuration parameters and review access logs for signs of unauthorized disclosure. …

Sign in for detailed remediation steps and compensating controls.

Threat intelligence, references, and detailed analysis are available after sign-in.

CVE-2026-44413 HIGH
8.2 May 11

Authentication bypass in JetBrains TeamCity allows remote unauthenticated attackers to gain unauthorized access to serve

CVE-2025-26493 MEDIUM
4.6 Feb 11

In JetBrains TeamCity before 2024.12.2 several DOM-based XSS were possible on the Code Inspection Report tab. Rated medi

CVE-2025-26492 HIGH
7.7 Feb 11

In JetBrains TeamCity before 2024.12.2 improper Kubernetes connection settings could expose sensitive resources. Rated h

CVE-2026-49372 HIGH
7.5 May 29

Server-side request forgery in JetBrains TeamCity versions prior to 2026.1 and 2025.11.5 allows remote unauthenticated a

CVE-2026-49371 HIGH
7.1 May 29

Reflected cross-site scripting in JetBrains TeamCity before version 2026.1.1 allows remote attackers to execute arbitrar

CVE-2026-49373 HIGH
7.1 May 29

Remote code execution in JetBrains TeamCity versions prior to 2026.1 is achievable by authenticated users who can config

CVE-2026-49379 MEDIUM
6.5 May 29

Credential exposure in JetBrains TeamCity before version 2026.1 allows authenticated remote attackers to retrieve sensit

CVE-2026-49376 MEDIUM
6.5 May 29

Insufficient username validation in the SAML plugin of JetBrains TeamCity before 2026.1 allows unauthenticated remote at

CVE-2026-49375 MEDIUM
6.1 May 29

Reflected cross-site scripting on the TeamCity repository download page allows a remote unauthenticated attacker to inje

CVE-2025-52876 MEDIUM
5.4 Jun 23

In JetBrains TeamCity before 2025.03.3 reflected XSS on the favoriteIcon page was possible

CVE-2025-52875 MEDIUM
5.4 Jun 23

In JetBrains TeamCity before 2025.03.3 a DOM-based XSS at the Performance Monitor page was possible

CVE-2025-46433 MEDIUM
4.9 Apr 25

In JetBrains TeamCity before 2025.03.1 improper path validation in loggingPreset parameter was possible. Rated medium se

Share

EUVD-2026-33382 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy