MEDIUM 6.1

CVE-2026-49375: TeamCity Reflected XSS on Repository Download Page – Patch Guidance

JetBrains TeamCity versions before 2026.1 and 2025.11.5 contain a reflected cross-site scripting (XSS) vulnerability on the repository download page. An attacker can craft a malicious URL and trick a user into clicking it, allowing the attacker to steal session cookies, perform actions on behalf of the user, or redirect them to phishing sites. The vulnerability requires user interaction and does not directly compromise the server itself.

Source data · NVD / CISA · public domain

CVSS
3.1 · 6.1 MEDIUM · CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
Weaknesses (CWE)
CWE-79
Affected products
1 configuration(s)
Published / Modified
2026-05-29 / 2026-06-17

NVD description (verbatim)

In JetBrains TeamCity before 2026.1, 2025.11.5 reflected XSS was possible on the repository download page

1 reference(s) · View on NVD →

SEC.co analysis · AI-assisted, reviewed against source

Technical summary

CVE-2026-49375 is a reflected XSS vulnerability (CWE-79) in TeamCity's repository download page. The flaw allows unauthenticated attackers to inject arbitrary JavaScript into the browser context of an authenticated user. Because the vulnerability is reflected (not stored), the attacker must socially engineer a victim into visiting a crafted link. The attack vector is network-based with low complexity, and successful exploitation results in limited confidentiality and integrity impact within the scope of the affected user's session.

Business impact

Exploitation could enable account takeover of individual TeamCity users, unauthorized repository access, or lateral movement to systems the compromised user can reach. For organizations using TeamCity as a central build and deployment platform, a compromised account could facilitate deployment of malicious artifacts, source code theft, or supply chain attacks. The impact is confined to the privileges of the compromised user, reducing organizational risk compared to unauthenticated remote code execution vulnerabilities.

Affected systems

JetBrains TeamCity versions before 2026.1 and 2025.11.5 are affected. Organizations running these versions should inventory their TeamCity instances and prioritize patching based on network exposure and user roles. Users with administrative or release-engineering privileges pose higher risk if compromised.

Exploitability

Exploitation requires no authentication or special privileges to craft the malicious URL, but successful attack depends entirely on user interaction. An attacker must convince a TeamCity user to click a link or visit an attacker-controlled page that frames the vulnerable endpoint. This significantly lowers the probability of large-scale automated exploitation compared to unauthenticated remote vulnerabilities. The vulnerability is not listed on the CISA Known Exploited Vulnerabilities (KEV) catalog, suggesting no active in-the-wild exploitation has been reported as of the publication date.

Remediation

Upgrade TeamCity to version 2026.1 or later, or apply the patch to version 2025.11.5 as recommended by JetBrains. Organizations unable to patch immediately should implement network segmentation to restrict TeamCity access to trusted users and networks, apply web application firewall (WAF) rules to detect XSS payloads on the repository download endpoint, and educate users about phishing-style attacks involving internal tools.

Patch guidance

Check the JetBrains TeamCity release notes and security advisories for the exact patched versions and rollout timeline. Deploy patches in a test environment first to verify compatibility with existing plugins, build configurations, and integrations. Prioritize patching instances exposed to the internet or accessible to a large user base. Consider scheduling maintenance windows during low-activity periods to minimize disruption to CI/CD pipelines.

Detection guidance

Monitor HTTP access logs for suspicious query parameters or encoded payloads on paths matching /repo/download or similar repository endpoints. Look for User-Agent headers, IP patterns, or referrers indicative of social engineering. Implement browser-based XSS detection in TeamCity if available, or deploy a WAF rule to block common XSS patterns (script tags, event handlers) in the affected parameter. Correlate user access logs with any suspicious downstream actions in CI/CD (unauthorized builds, artifact modifications).

Why prioritize this

Although rated MEDIUM severity with a CVSS score of 6.1, this vulnerability warrants prompt but measured prioritization. The lack of KEV designation and unknown active exploitation lower immediate threat urgency. However, TeamCity is a high-value build system; even user-level compromise could enable supply chain attacks. Organizations with internet-facing TeamCity instances or where users frequently receive external links should prioritize patching within 30 days. Lower-priority environments or internally isolated instances can follow standard patching cadences.

Risk score, explained

The CVSS 3.1 score of 6.1 (MEDIUM) reflects a network-accessible vulnerability requiring user interaction, no authentication, and limited direct impact (confidentiality and integrity of the user's session only). The score does not account for organizational context—the true risk depends on TeamCity's role in your pipeline, user access levels, and network exposure. Organizations deploying TeamCity as a central CI/CD hub with privileged users should treat this as higher-priority within their environment than the base score suggests.

Frequently asked questions

Can this vulnerability be exploited without user interaction?

No. Reflected XSS requires the victim to visit or click a malicious link. An attacker cannot compromise a user passively; social engineering is required. This significantly limits the attack surface compared to unauthenticated pre-auth vulnerabilities.

Does this affect TeamCity Server or TeamCity Cloud?

The advisory specifies TeamCity versions before 2026.1 and 2025.11.5. Consult the official JetBrains security page to confirm whether TeamCity Cloud (hosted) instances are affected and what patch status applies, as they may receive automatic updates independently.

What happens if a build agent or plugin is compromised via this XSS?

If an attacker compromises a TeamCity admin or user with build configuration privileges, they could potentially modify build steps, inject malicious artifacts, or exfiltrate secrets stored in TeamCity. This is why user role and privilege context is important when assessing organizational risk.

Is there a workaround if we cannot patch immediately?

No permanent workaround exists short of patching or disabling the repository download feature entirely. Mitigations include restricting network access to TeamCity, using a reverse proxy with XSS filtering, educating users to verify link sources, and closely monitoring for suspicious activity. These reduce but do not eliminate risk.

This analysis is based on publicly available information as of the publication date and the ground-truth source data provided. Organizations should consult the official JetBrains security advisory and release notes for authoritative patch version numbers, timelines, and platform-specific guidance. SEC.co makes no warranty regarding the completeness or accuracy of third-party vendor statements. Testing in a controlled environment before production deployment is essential. Exploits, proof-of-concept code, and detailed payload examples are not provided; refer to security researchers and vendor guidance for technical deep dives. This document is for informational purposes and should inform, not replace, your organization's vulnerability management and risk assessment processes. Source: NVD (public-domain), retrieved 2026-07-08. Analysis generated by SEC.co (claude-haiku-4-5).