HIGH 7.1

CVE-2026-49373: TeamCity Perforce RCE – Patch to 2026.1

JetBrains TeamCity versions prior to 2026.1 contain a remote code execution vulnerability accessible through the Perforce connection configuration interface. An authenticated user with permissions to modify Perforce settings can execute arbitrary code on the TeamCity server. This requires valid credentials and access to TeamCity's configuration features, but does not require user interaction or special system conditions once access is gained.

Source data · NVD / CISA · public domain

CVSS
3.1 · 7.1 HIGH · CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:L/A:N
Weaknesses (CWE)
CWE-88
Affected products
1 configuration(s)
Published / Modified
2026-05-29 / 2026-06-17

NVD description (verbatim)

In JetBrains TeamCity before 2026.1 remote code execution was possible via Perforce connection settings

1 reference(s) · View on NVD →

SEC.co analysis · AI-assisted, reviewed against source

Technical summary

CVE-2026-49373 is a remote code execution flaw in TeamCity's Perforce integration layer. The vulnerability stems from improper argument construction in how TeamCity processes Perforce connection parameters (CWE-88: Argument Injection). An attacker with authentication credentials and appropriate role permissions can inject malicious payloads into Perforce connection settings, leading to command execution within the TeamCity application context. The attack surface is the administrative or project-level settings interface where Perforce repository connections are configured. No network-level authentication bypass is required; the vulnerability assumes the attacker has already cleared TeamCity's authentication.

Business impact

Organizations relying on TeamCity for CI/CD automation face direct operational disruption and data compromise. Successful exploitation allows an attacker with TeamCity credentials to gain code execution on build infrastructure, potentially compromising build artifacts, secrets stored in CI/CD pipelines, and downstream systems that consume build outputs. Supply chain integrity becomes a critical concern if malicious code is injected into software builds. The exposure is primarily internal (requires authenticated access) but carries high severity due to the privileged position of CI/CD systems in development workflows.

Affected systems

JetBrains TeamCity versions before 2026.1 are affected. Organizations should verify their deployed version via the TeamCity Administration > About section or by checking application startup logs. The vulnerability applies to all deployment models (on-premises, cloud-hosted, or containerized) running affected versions, regardless of whether Perforce is actively used—the flaw exists in the codebase before user interaction.

Exploitability

Exploitation requires valid TeamCity credentials with permissions to create or modify Perforce integration settings. This typically means users with Administrator, Project Administrator, or equivalent build configuration roles. No public exploit code has been added to CISA's Known Exploited Vulnerabilities catalog, indicating limited evidence of active weaponization in the wild at this time. However, the straightforward nature of argument injection in configuration interfaces means that exploitation by insiders or compromised accounts is feasible without sophisticated tooling.

Remediation

Upgrade TeamCity to version 2026.1 or later. JetBrains has addressed the Perforce argument injection in this release. Organizations unable to upgrade immediately should restrict TeamCity access via network segmentation, limit the number of users with Perforce integration configuration privileges, and monitor TeamCity logs for unusual Perforce connection modifications or administrative activity.

Patch guidance

Verify your current TeamCity version in Administration > About. If running a version before 2026.1, consult JetBrains' official download and upgrade documentation for your deployment architecture (server, agents, plugins). Test the upgrade in a non-production environment first to ensure compatibility with custom plugins or integrations. Patch both the TeamCity server and any connected agents, as the vulnerability may impact build execution context.

Detection guidance

Monitor TeamCity audit logs for changes to Perforce connection settings, particularly modifications from non-standard administrative accounts or during unusual hours. Check for suspicious command syntax in Perforce configuration fields if logs capture configuration content. Network-level detection is limited since this is application-layer injection; focus on endpoint monitoring of the TeamCity process for unexpected child process spawning or outbound connections during Perforce integration operations. Review recent Perforce connection test or build execution logs for error messages indicating command injection attempts.

Why prioritize this

Despite a CVSS score of 7.1 (HIGH), this vulnerability ranks for immediate patching due to its position in CI/CD infrastructure and the high-trust environment in which TeamCity operates. The requirement for authentication substantially reduces the attack surface compared to unauthenticated RCE, but the confluence of privileged infrastructure access and potential supply chain impact justifies rapid remediation. Organizations should prioritize this above non-critical findings but may sequence it after critical unauthenticated RCE vulnerabilities affecting the same asset.

Risk score, explained

The CVSS 3.1 score of 7.1 reflects: Network-exploitable attack vector (AV:N), low attack complexity (AC:L), requirement for low-privilege authentication (PR:L), no user interaction (UI:N), and contained scope (S:U). The impact ratings—High confidentiality, Low integrity, No availability impact—indicate data exfiltration risk without full system compromise or denial-of-service capability. The score appropriately balances the authentication barrier against the severity of code execution in a trusted build environment.

Frequently asked questions

Do we need to patch if we don't use Perforce?

Yes. Although the vulnerability is triggered through Perforce integration settings, the flawed code exists in all TeamCity installations before 2026.1. An attacker with credentials could potentially enable or misconfigure Perforce even if your team doesn't use it, making patching a universal requirement for affected versions.

How can we know if this was exploited in our environment?

Check TeamCity's audit log (Administration > Audit) for changes to Perforce integration settings, failed or unusual Perforce connection tests, and creation of new Perforce-based build configurations. Cross-reference timing with access logs and review any unexpected build artifacts or test execution during the same period. If your infrastructure monitoring detected unusual process spawning on the TeamCity server, correlate timestamps with configuration changes.

Is network segmentation sufficient while we plan patching?

Network segmentation reduces exposure by limiting who can reach TeamCity, but it does not eliminate the vulnerability. An insider, compromised developer account, or attacker who has already gained initial access can still exploit it. Segmentation should be one layer in a defense strategy, combined with access control restrictions (minimizing who can modify Perforce settings) and close monitoring, but patching is the definitive fix.

What versions of TeamCity are covered by this advisory?

All versions before 2026.1 are vulnerable. Verify your version in TeamCity Administration > About. If you are on 2026.1 or later, you are not affected by this specific CVE.

This analysis is based on the CVE record and vendor advisory as of the published date. Security intelligence is subject to change as new information emerges. Organizations should verify all patch version numbers, compatibility notes, and remediation steps directly against JetBrains' official security advisories and release notes before deploying updates. No liability for decisions made based on this intelligence; consult your security team and vendor documentation for your specific environment. Exploit code or weaponized proof-of-concepts are not provided in this analysis. Source: NVD (public-domain), retrieved 2026-07-08. Analysis generated by SEC.co (claude-haiku-4-5).