CVE-2026-49372: JetBrains TeamCity Unauthenticated SSRF in Build Status
JetBrains TeamCity versions prior to 2026.1 and 2025.11.5 contain a server-side request forgery (SSRF) vulnerability accessible without authentication. An attacker can abuse the build status feature to make the TeamCity server perform unintended HTTP requests to internal or external systems, potentially exposing sensitive data or accessing restricted resources. The vulnerability requires no user interaction and can be exploited over the network.
Source data · NVD / CISA · public domain
- CVSS
- 3.1 · 7.5 HIGH · CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
- Weaknesses (CWE)
- CWE-918
- Affected products
- 1 configuration(s)
- Published / Modified
- 2026-05-29 / 2026-06-17
NVD description (verbatim)
In JetBrains TeamCity before 2026.1, 2025.11.5 unauthenticated SSRF via build status was possible
1 reference(s) · View on NVD →
SEC.co analysis · AI-assisted, reviewed against source
Technical summary
CVE-2026-49372 is an unauthenticated SSRF flaw in TeamCity's build status functionality. The vulnerability maps to CWE-918 (Server-Side Request Forgery) and allows remote attackers to craft malicious requests that force the TeamCity server to initiate outbound connections to attacker-controlled or internal targets. Because the flaw exists in an unauthenticated endpoint, no prior access to TeamCity is required. The CVSS 3.1 vector (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N) reflects network-accessible exploitation with high confidentiality impact and no authentication barrier.
Business impact
Exploitation could allow attackers to enumerate internal network topology, access credential stores, retrieve metadata from cloud environments, or probe internal services. Organizations using TeamCity for CI/CD pipelines face risk of lateral movement and reconnaissance if the server is internet-facing. The confidentiality impact is rated high because SSRF can leak sensitive data; however, integrity and availability are not directly compromised by this vector alone. Remediation delays increase exposure window for active reconnaissance.
Affected systems
JetBrains TeamCity instances running versions before 2026.1 or before 2025.11.5 are affected. Patched versions include TeamCity 2026.1 and later, as well as 2025.11.5 and later in the 2025.11 branch. Organizations should verify their exact deployment version against the vendor advisory to confirm applicability.
Exploitability
This vulnerability is highly exploitable in practice. It requires no authentication, no special user interaction, and only network access to the TeamCity server. The attack surface is broad: any organization exposing TeamCity on the internet or within a network where an attacker has a presence can be targeted. No KEV status has been assigned, indicating active in-the-wild exploitation has not yet been formally documented; however, the low complexity and zero-authentication requirement make this a logical target for threat actors performing reconnaissance or supply-chain attacks against development infrastructure.
Remediation
Upgrade TeamCity immediately to version 2026.1 or later, or to 2025.11.5 or later if remaining on the 2025.11 branch. Organizations unable to patch immediately should restrict network access to TeamCity to trusted networks only, disable the build status endpoint if not essential, and monitor outbound connections from the TeamCity server for unusual activity. Implement network segmentation to limit the impact of potential SSRF abuse.
Patch guidance
Apply the appropriate security update as soon as possible: upgrade to TeamCity 2026.1 or later for the latest branch, or 2025.11.5 or later for the 2025.11 LTS line. Verify the patched version against the official JetBrains security advisory before deployment. Test patches in a non-production environment first, particularly if TeamCity integrates with critical build or deployment workflows. Coordinate patching with development teams to minimize CI/CD disruption.
Detection guidance
Monitor TeamCity server logs for unusual outbound HTTP/HTTPS requests, particularly from the build status endpoint to unexpected internal IP addresses or external domains. Look for requests with atypical User-Agent strings or suspicious query parameters in the build status feature. Network detection should flag outbound connections from TeamCity to private IP ranges (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) or known cloud metadata services. Correlate TeamCity access logs with egress traffic patterns to identify potential exploitation attempts.
Why prioritize this
Despite the absence of KEV listing, this vulnerability merits immediate priority due to its combination of zero-authentication exploitation, high confidentiality impact, and relevance to CI/CD infrastructure. TeamCity servers are often targets for supply-chain attacks, and SSRF on such systems can expose build credentials, source code repositories, and internal service configurations. The ease of exploitation and broad attack surface justify treating this as critical for patching.
Risk score, explained
The CVSS 3.1 score of 7.5 (HIGH) reflects a high-severity vulnerability with significant business risk. The attack vector is network-accessible with no privilege or user interaction required, making exploitation trivial. Confidentiality impact is rated high because SSRF can disclose sensitive information; integrity and availability impact are none because the vulnerability does not directly modify data or degrade service. In the context of CI/CD infrastructure, the true business risk may exceed the base score if internal systems lack network segmentation.
Frequently asked questions
Is TeamCity vulnerable if it's deployed on an internal network only?
Yes. If an attacker has any presence on the internal network—through compromised credentials, malware, or adjacent systems—they can still exploit this SSRF. Internal deployment reduces the attack surface but does not eliminate risk. Patching remains essential.
Can this vulnerability be exploited to modify build configurations or steal secrets?
This SSRF allows the attacker to make requests on behalf of the TeamCity server, but does not directly modify configurations or bypass authentication. However, SSRF can be leveraged to access credential endpoints, cloud metadata services, or internal APIs that may store secrets. Integrity impact is limited to what the attacker can do through indirect HTTP requests.
What should we do if we cannot patch immediately?
Restrict network access to TeamCity using firewall rules or network segmentation, limit exposure to trusted IP ranges, disable or protect the build status endpoint if possible, and implement egress filtering to detect and block suspicious outbound requests. Monitor logs closely for signs of exploitation. These are temporary controls pending patch deployment.
Why has this not appeared on the CISA KEV list yet?
KEV status indicates formal documentation of active in-the-wild exploitation. The absence does not mean the vulnerability is low-risk; it may simply reflect a recent disclosure. Given the ease of exploitation and high-profile target (CI/CD infrastructure), defensive prioritization should not await KEV listing.
This analysis is provided for educational and defensive purposes. No exploit code or weaponization guidance is included. Vulnerability details and patch information are derived from official vendor advisories; verify all patch versions and remediation steps against JetBrains' official security documentation before implementation. Organizations should conduct internal testing before deploying patches in production. This content does not constitute legal or compliance advice. Source: NVD (public-domain), retrieved 2026-07-08. Analysis generated by SEC.co (claude-haiku-4-5).
Related vulnerabilities
- CVE-2026-10068HIGHSSRF in Shibby Tomato 1.28 miniupnpd (Unmaintained)
- CVE-2026-10107HIGHMoviePilot v2 SSRF in Image Proxy Allows Internal Network Access
- CVE-2026-10280HIGHServer-Side Request Forgery in Horizon921 mcpilot 0.1.0
- CVE-2026-10287HIGHSSRF in SourceCodester SEO Meta Tag Extractor 1.0
- CVE-2026-10771HIGHCRMEB Java SSRF Vulnerability in QR Code Endpoint
- CVE-2026-42398HIGHKibana Webhook SSRF Vulnerability—Egress Allowlist Bypass
- CVE-2026-42965HIGHOpenShift Router SSRF via FQDN EndpointSlice
- CVE-2026-44285HIGHFastGPT SSRF Vulnerability in Dataset Preview Endpoint