MEDIUM 6.5

CVE-2026-49376: JetBrains TeamCity SAML Username Validation Bypass

JetBrains TeamCity versions prior to 2026.1 contain a vulnerability in the SAML authentication plugin where usernames are not properly validated. This weakness allows an attacker to bypass normal username restrictions and potentially gain unauthorized access or manipulate user identity claims during the authentication process. The vulnerability requires network access but no special credentials or user interaction to exploit.

Source data · NVD / CISA · public domain

CVSS
3.1 · 6.5 MEDIUM · CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N
Weaknesses (CWE)
CWE-863
Affected products
1 configuration(s)
Published / Modified
2026-05-29 / 2026-06-17

NVD description (verbatim)

In JetBrains TeamCity before 2026.1 insufficient username validation in the SAML plugin

1 reference(s) · View on NVD →

SEC.co analysis · AI-assisted, reviewed against source

Technical summary

CVE-2026-49376 is an authorization and access control flaw (CWE-863) in TeamCity's SAML plugin implementation. The insufficient validation of usernames in SAML assertions permits an attacker to craft or intercept SAML responses containing malformed or unexpected username values that the plugin fails to sanitize or reject. This can lead to authentication bypass or account takeover scenarios where an attacker either assumes an existing user's identity or creates unintended user accounts with elevated privileges. The vulnerability is exploitable remotely without authentication or user interaction, though the practical impact depends on how the SAML IdP is configured and whether it enforces its own username validation.

Business impact

Compromise of TeamCity user accounts—particularly those with administrative or build-configuration privileges—could allow attackers to modify builds, inject malicious artifacts into CI/CD pipelines, exfiltrate source code or credentials, or disrupt development operations. Organizations relying on SAML for enterprise identity federation face heightened risk if the IdP is misconfigured or if attackers can influence the IdP's responses (via network interception or compromised IdP infrastructure). The integrity of the entire software supply chain may be at risk in affected environments.

Affected systems

JetBrains TeamCity versions before 2026.1 are affected. The vulnerability exists specifically in the SAML plugin, so only TeamCity instances that use SAML for single sign-on are directly vulnerable. Non-SAML deployments are unaffected. Verify your TeamCity version and authentication configuration to determine exposure.

Exploitability

The vulnerability is network-accessible and requires no authentication or user interaction, resulting in a CVSS base score of 6.5 (MEDIUM). Exploitation does not require knowing valid credentials upfront, but the attacker must be in a position to influence or intercept SAML messages—either by compromising the IdP, performing active network interception, or exploiting a misconfigured SAML endpoint. The attack surface is real but not trivial; practical exploitation depends on the deployment's network architecture and IdP security posture.

Remediation

Upgrade JetBrains TeamCity to version 2026.1 or later. Verify with JetBrains' official security advisories for the exact patch version that resolves this issue. Until patching is possible, review SAML plugin logs for suspicious username patterns, restrict SAML endpoint access to trusted networks if feasible, and ensure your IdP implements strict username validation and signing to prevent assertion tampering.

Patch guidance

Apply the TeamCity 2026.1 release or later as documented by JetBrains. Test the patch in a non-production environment first, particularly if TeamCity is central to your CI/CD pipeline. After upgrade, verify that SAML authentication continues to function correctly for all federated users. Consult JetBrains' official release notes and security bulletin for any breaking changes or migration steps specific to your deployment.

Detection guidance

Monitor TeamCity logs for: (1) SAML authentication events with unusual or invalid username formats, (2) failed SAML assertions followed by successful logins with unexpected user accounts, (3) account creation or privilege escalation events coinciding with SAML authentication activity, and (4) repeated SAML errors that might indicate exploitation attempts. Enable detailed SAML plugin logging if supported. Network-based detection should flag malformed SAML responses or repeated SAML assertion parsing failures.

Why prioritize this

While CVSS 6.5 (MEDIUM) does not place this at the absolute top of patch queues, the threat model is serious: authentication bypass in a build-automation system can compromise the entire software supply chain. Organizations using SAML should prioritize this patch within weeks rather than months, especially if the TeamCity instance has direct internet exposure or hosts builds for security-sensitive products. Non-SAML deployments can defer with lower urgency.

Risk score, explained

The CVSS 3.1 score of 6.5 reflects network accessibility (AV:N) and low complexity (AC:L), offset by no authentication requirement (PR:N), no user interaction (UI:N), and limited scope (S:U). The impact is partial—confidentiality and integrity are affected (C:L/I:L) but availability is not (A:N), yielding a MEDIUM severity. The score does not capture supply-chain risk; organizations should apply context-specific risk analysis based on the sensitivity of builds and artifacts controlled by TeamCity.

Frequently asked questions

Do non-SAML TeamCity installations need to patch this?

No. This vulnerability exists only in the SAML plugin's username validation. If your TeamCity instance uses local authentication, LDAP, or another non-SAML method, you are not directly affected. However, you should still keep TeamCity updated for other security and stability fixes.

What happens if our IdP is already validating usernames strictly?

A well-configured IdP that signs assertions and enforces strict username policies reduces exploitation risk. However, the vulnerability is in TeamCity's insufficient validation on the receiving end. Even with a secure IdP, an attacker who can intercept or tamper with SAML traffic may still exploit the weakness. Do not rely solely on IdP controls; patch TeamCity.

Can we work around this without upgrading immediately?

Temporary mitigations include restricting SAML endpoint network access to trusted subnets or proxies, disabling SAML if it is not essential, or enabling IP-based access controls on TeamCity. However, these are not substitutes for patching. Plan the upgrade to 2026.1 or later as soon as feasible.

Is this vulnerability actively exploited?

This vulnerability is not currently tracked in the CISA Known Exploited Vulnerabilities (KEV) catalog, meaning no active exploitation in the wild has been widely reported as of the publication date. However, the absence of public proof-of-concept does not mean exploitation is impossible; apply the patch promptly regardless.

This analysis is provided for informational purposes only and is based on publicly available vulnerability data as of the publication date. Readers should verify all patch versions, affected product configurations, and remediation steps against official JetBrains security advisories and release notes. Security risk assessment and remediation timelines should account for your organization's specific environment, threat model, and business criticality. No guarantee is made regarding the completeness or real-time accuracy of this information. Consult your vendor and security team before deploying patches to production systems. Source: NVD (public-domain), retrieved 2026-07-08. Analysis generated by SEC.co (claude-haiku-4-5).