CVE-2026-49374: JetBrains TeamCity Build Parameter Authorization Bypass
JetBrains TeamCity versions prior to 2026.1 suffer from insufficient permission checks that allow authenticated users to access sensitive build configuration parameters they should not be able to view. An attacker with valid login credentials but limited project access could extract confidential build settings, secrets, or other sensitive configuration data by exploiting this authorization flaw.
Source data · NVD / CISA · public domain
- CVSS
- 3.1 · 7.6 HIGH · CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:L/A:L
- Weaknesses (CWE)
- CWE-862
- Affected products
- 1 configuration(s)
- Published / Modified
- 2026-05-29 / 2026-06-17
NVD description (verbatim)
In JetBrains TeamCity before 2026.1 improper permission checks exposed build configuration parameters
1 reference(s) · View on NVD →
SEC.co analysis · AI-assisted, reviewed against source
Technical summary
CVE-2026-49374 stems from improper permission validation in TeamCity's build configuration parameter handling. The vulnerability allows users with legitimate but restricted access (PR:L in the CVSS vector) to bypass authorization controls and read build configuration parameters across projects or contexts where they lack explicit permission. The issue resides in how TeamCity enforces role-based access controls on sensitive configuration endpoints, permitting information disclosure while also enabling limited modification capabilities.
Business impact
Organizations using TeamCity for CI/CD orchestration face credential exposure and intellectual property leakage. Build parameters commonly store API keys, database credentials, deployment tokens, and other secrets tied to production and development environments. Compromised credentials can escalate to lateral movement, unauthorized deployments, or sabotage of the build pipeline. The combination of confidentiality and integrity impacts elevates risk in regulated environments requiring audit trails and access controls.
Affected systems
JetBrains TeamCity installations before version 2026.1 are vulnerable. This includes all 2025.x releases and earlier versions. Organizations should verify their deployed TeamCity version through the Administration > About page or via version inspection endpoints.
Exploitability
Exploitation requires valid TeamCity credentials, reflecting the PR:L prerequisite. An attacker cannot exploit this remotely without authentication. However, the attack vector is network-based (AV:N), meaning exploitation can occur from any network location once an account is compromised or obtained. The barrier to exploitation is low complexity (AC:L), making this practical for attackers with basic access.
Remediation
Upgrade TeamCity to version 2026.1 or later. JetBrains has patched the permission validation logic in this release. Organizations unable to upgrade immediately should review audit logs for suspicious parameter access patterns and rotate credentials stored in build configurations as a precautionary measure.
Patch guidance
Apply JetBrains TeamCity 2026.1 or newer. Verify the patch by confirming the version in Administration settings post-update. Test in a staging environment before production rollout to ensure no compatibility issues with existing build jobs or plugins. Check the JetBrains security advisory for any noted breaking changes or migration steps.
Detection guidance
Monitor TeamCity access logs for unusual parameter read operations by users with restricted roles. Audit trail entries showing users accessing build configuration pages outside their assigned projects warrant investigation. Set up alerts on authentication patterns combining successful logins with abnormal parameter API calls. Review build configuration change history for unexpected modifications coinciding with the vulnerability window.
Why prioritize this
This vulnerability merits prompt attention despite not yet appearing on the KEV catalog. The HIGH CVSS score (7.6) reflects meaningful confidentiality impact coupled with integrity and availability concerns. Build configuration parameters are prime targets for attackers seeking credential theft, and the authentication requirement, while present, is frequently satisfied through credential compromise or insider threats. Organizations relying on TeamCity for sensitive CI/CD workflows should prioritize patching.
Risk score, explained
The CVSS 3.1 score of 7.6 reflects: network accessibility (AV:N) permitting remote exploitation; low attack complexity (AC:L) requiring no special conditions; mandatory authentication (PR:L) providing a moderate barrier; high confidentiality impact from parameter disclosure (C:H); low integrity and availability impact (I:L, A:L) from partial modification capabilities. The score falls within the HIGH severity band, warranting rapid remediation.
Frequently asked questions
Do I need to patch immediately if I use TeamCity primarily for non-sensitive builds?
Even non-sensitive projects may include environment variables, artifact repository credentials, or Slack/notification tokens. Attackers exploit such parameters for lateral movement or reconnaissance. Prioritize patching based on your threat model and credential sensitivity; do not defer indefinitely.
Can I mitigate this without upgrading to 2026.1?
Partial mitigation: restrict TeamCity user accounts to minimal necessary roles, rotate all credentials stored in build parameters, and audit access logs for suspicious activity. However, these are detective and compensating controls, not fixes. Upgrade as soon as feasible.
Does this vulnerability require admin access to exploit?
No. The vulnerability allows any authenticated user with limited project access to escape their restrictions and read parameters from other projects or contexts. A developer account for Project A might read parameters from Project B.
Is this vulnerability being actively exploited?
As of the vulnerability publication date, this issue has not been added to the CISA Known Exploited Vulnerabilities (KEV) catalog, suggesting no public weaponized exploits yet. However, the ease of exploitation means active threat development or targeted attacks cannot be ruled out.
This analysis is derived from publicly available vulnerability data and JetBrains' official disclosures. Organizations should verify patch availability and compatibility with their specific TeamCity deployment before applying updates. Patch versions and release timing should be confirmed against the official JetBrains security advisory and release notes. This summary does not constitute professional security advice; consult your organization's security team and vendor documentation for deployment decisions. Source: NVD (public-domain), retrieved 2026-07-08. Analysis generated by SEC.co (claude-haiku-4-5).
Related vulnerabilities
- CVE-2026-49367HIGHIntelliJ IDEA Guest Account Command Execution Vulnerability
- CVE-2026-49378MEDIUMTeamCity Credential Exposure via Parameter Autocompletion
- CVE-2026-49385MEDIUMJetBrains YouTrack Service Account Privilege Escalation
- CVE-2018-25391HIGHHaPe PKH 1.1 Authorization Bypass – Unauthorized Record Deletion Vulnerability
- CVE-2025-26418HIGHAndroid CarDevicePolicyService Privilege Escalation (CVSS 7.8)
- CVE-2025-53345HIGHThimPress Thim Core Missing Authorization Leads to Code Execution
- CVE-2026-10737HIGHWordPress SP Project & Document Manager Unauthenticated File Access Vulnerability
- CVE-2026-31942HIGHLibreChat IDOR Vulnerability Allows Unauthorized API Key Manipulation