MEDIUM 4.3

CVE-2026-49378: TeamCity Credential Exposure via Parameter Autocompletion

JetBrains TeamCity contained a vulnerability where stored credentials could be inadvertently exposed through the parameter autocompletion feature. When users typed in parameter fields, the system would suggest previously stored credential values, potentially revealing sensitive authentication data to anyone with access to the TeamCity interface. This issue affects TeamCity versions prior to 2026.1 and requires an authenticated user to interact with the affected feature. The exposure is limited to local disclosure within the TeamCity environment rather than remote exfiltration.

Source data · NVD / CISA · public domain

CVSS
3.1 · 4.3 MEDIUM · CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N
Weaknesses (CWE)
CWE-862
Affected products
1 configuration(s)
Published / Modified
2026-05-29 / 2026-06-17

NVD description (verbatim)

In JetBrains TeamCity before 2026.1 credentials parameters were exposed via parameter autocompletion

1 reference(s) · View on NVD →

SEC.co analysis · AI-assisted, reviewed against source

Technical summary

The vulnerability stems from improper access control on credential parameters within TeamCity's autocompletion mechanism. Prior to version 2026.1, the autocompletion system did not sufficiently restrict which users could view suggested credential values, violating the principle of least privilege. An authenticated user with build configuration access could observe credential parameter suggestions that should have been restricted based on their permission level. The root cause maps to CWE-862 (Missing Authorization), indicating a failure to enforce proper permission checks on sensitive data display.

Business impact

This vulnerability could lead to unauthorized disclosure of credential material to TeamCity users who should not have access to specific credentials. In environments where TeamCity administrators manage credentials for multiple projects or teams, this could result in cross-team or cross-project credential leakage. While the CVSS score is moderate (4.3), the business impact depends on what credentials are stored and who has TeamCity access. Organizations with strict credential compartmentalization or those using TeamCity for sensitive infrastructure deployments should prioritize this fix.

Affected systems

JetBrains TeamCity versions prior to 2026.1 are affected. The vulnerability requires authenticated access to the TeamCity server; it does not affect installations that are properly network-isolated or have strong access controls. On-premises TeamCity installations and cloud-hosted instances running affected versions are in scope. Organizations should verify their current TeamCity version against the vendor's official release notes to confirm applicability.

Exploitability

Exploitation requires valid TeamCity credentials and the ability to access parameter configuration screens. An authenticated user cannot directly trigger credential disclosure; they must interact with the autocompletion feature in the normal course of build configuration or parameter management. The attack surface is internal to the TeamCity interface, and no remote unauthenticated exploitation is possible. However, the low barrier to exploitation once access is obtained (simple interaction with autocompletion) makes this a concern in environments with overly broad TeamCity user access.

Remediation

Upgrade TeamCity to version 2026.1 or later, which includes fixes to restrict credential parameter visibility according to user permissions. Organizations unable to upgrade immediately should review and tighten access controls within TeamCity, limiting parameter configuration privileges to only those users who require them. Additionally, consider auditing recent parameter access logs if available to identify any potential unauthorized credential exposure.

Patch guidance

Check the JetBrains TeamCity release notes for version 2026.1 or later to confirm the availability and installation procedure for your deployment model (on-premises or cloud). Verify against the vendor advisory that the update addresses this specific issue. Test the upgrade in a non-production environment first to ensure compatibility with plugins and custom configurations. Schedule the upgrade during a maintenance window if your TeamCity instance is in active use.

Detection guidance

Review TeamCity access logs for unusual parameter configuration access patterns, particularly by users who do not typically manage build parameters. Check for any logs related to autocompletion queries or parameter suggestions that may indicate probing of credentials. If your TeamCity instance supports audit logging, enable it to capture parameter access and credential field interactions. Organizations with monitoring solutions can flag repeated failed or unusual parameter access attempts.

Why prioritize this

While the CVSS score of 4.3 reflects a medium severity, the actual priority depends on credential sensitivity and TeamCity user scope. Organizations with broad TeamCity access or storing highly sensitive credentials should prioritize this update. Conversely, teams with tightly controlled TeamCity access and non-critical credentials may deprioritize relative to critical vulnerabilities. The fact that exploitation requires authentication and direct user interaction lowers the urgency compared to remote, unauthenticated vulnerabilities, but the nature of credential exposure justifies timely remediation.

Risk score, explained

The CVSS 3.1 score of 4.3 (MEDIUM) reflects a vulnerability requiring authentication (PR:L), with no privilege escalation or system-wide impact (S:U), but with clear confidentiality impact (C:L). The vector indicates a network attack surface but low complexity once authenticated. The score appropriately captures that this is not a critical remote vulnerability, but it understates the business risk if the exposed credentials grant access to sensitive infrastructure. Organizations should apply judgment: the technical score is 4.3, but business context may warrant treating it as higher priority.

Frequently asked questions

Can this vulnerability be exploited without TeamCity credentials?

No. Exploitation requires valid authentication to the TeamCity server. An attacker would first need to compromise or obtain valid TeamCity user credentials, making this a post-authentication vulnerability.

Does upgrading TeamCity to 2026.1 fully remediate the risk?

According to the vendor advisory, version 2026.1 includes authorization controls to prevent unauthorized credential visibility. Verify against the official release notes and test in your environment, but the upgrade is the primary remediation path.

What credentials are at risk of exposure?

Any credentials stored as TeamCity parameters are potentially exposed through autocompletion—this typically includes API keys, passwords, tokens, and other authentication material. The scope depends on what your organization has stored in TeamCity parameters.

Should we disable parameter autocompletion as a temporary mitigation?

Disabling autocompletion would prevent the exposure vector but would degrade user experience. A better interim measure is to strictly limit TeamCity access to only those who absolutely require it and audit who has been viewing parameter configurations.

This analysis is for informational purposes and reflects the vulnerability as described by JetBrains and publicly available information. Verify all technical details, patch versions, and compatibility requirements against official vendor documentation before deploying updates. SEC.co does not provide legal advice; organizations should consult internal policies and compliance requirements when prioritizing remediation. No exploit code or proof-of-concept is provided. Always test patches in non-production environments first. Source: NVD (public-domain), retrieved 2026-07-08. Analysis generated by SEC.co (claude-haiku-4-5).