MEDIUM 6.5

CVE-2026-49379: JetBrains TeamCity Credential Exposure in Thread Names

JetBrains TeamCity versions prior to 2026.1 contain a credential exposure vulnerability where sensitive authentication information could leak through thread names. An authenticated attacker with access to the TeamCity server could potentially extract credentials from system logs or monitoring output that display thread identities. This is a server-side information disclosure issue that does not require user interaction and affects the confidentiality of stored credentials.

Source data · NVD / CISA · public domain

CVSS
3.1 · 6.5 MEDIUM · CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
Weaknesses (CWE)
CWE-522
Affected products
1 configuration(s)
Published / Modified
2026-05-29 / 2026-06-17

NVD description (verbatim)

In JetBrains TeamCity before 2026.1 credentials could be exposed in thread names

1 reference(s) · View on NVD →

SEC.co analysis · AI-assisted, reviewed against source

Technical summary

CVE-2026-49379 is an authentication credential exposure flaw in JetBrains TeamCity caused by improper handling of sensitive data in thread naming conventions. The vulnerability arises from credentials being embedded or logged within thread names—a location typically accessible to system administrators, monitoring tools, and logging frameworks. An authenticated actor can access these thread names through standard server instrumentation or log aggregation systems, violating the principle of least privilege for credential storage. The issue is classified as CWE-522 (Insufficient Logging) and carries a CVSS 3.1 score of 6.5 (Medium severity) reflecting high confidentiality impact, network-based access, and low attack complexity.

Business impact

Credential exposure in TeamCity poses a material risk to CI/CD pipeline security. Leaked credentials could enable attackers to impersonate service accounts, bypass authentication controls, and gain persistent access to build systems, artifact repositories, and downstream deployment targets. In environments where TeamCity integrates with version control, container registries, or cloud infrastructure, compromised credentials represent a bridgehead for lateral movement and supply chain attacks. The exposure is particularly concerning in regulated environments where credential management is subject to audit controls and compliance frameworks.

Affected systems

All JetBrains TeamCity installations prior to version 2026.1 are affected. The vulnerability requires an authenticated user with server access to observe thread information, making it most exploitable in shared hosting environments, containerized deployments, or by privileged insiders. On-premises deployments with restricted access and cloud-hosted editions should verify their specific version against the vendor advisory to confirm applicability.

Exploitability

The attack requires prior authentication to the TeamCity instance (PR:L), eliminating opportunistic exploitation by unauthenticated threat actors. However, once authenticated, an attacker with standard user privileges can read thread names and other OS-level metadata without special permissions or user interaction. The attack surface is low-complexity and network-accessible, making it straightforward for an insider or compromised account holder to execute. The vulnerability is not listed on the CISA Known Exploited Vulnerabilities catalog as of the published date.

Remediation

Upgrade JetBrains TeamCity to version 2026.1 or later to receive the fix for credential exposure in thread names. Before upgrading, audit your environment for any indicators of credential compromise by reviewing TeamCity logs, thread dumps, and monitoring system output for exposed secrets. Implement additional controls such as secret scanning in logs, restricted access to thread dumps and monitoring interfaces, and credential rotation for any service accounts used by TeamCity.

Patch guidance

JetBrains has addressed this issue in TeamCity 2026.1. Consult the official JetBrains security advisory and release notes to confirm the exact patch version available for your deployment model (on-premises, cloud-hosted, or container-based). Plan upgrades during maintenance windows to avoid disruption to CI/CD pipelines. Test patches in a staging environment first, particularly if you maintain custom plugins or integrations. Version 2026.1 should be treated as the minimum acceptable version going forward.

Detection guidance

Review TeamCity logs and application diagnostics for thread names containing credential patterns (API tokens, passwords, Bearer tokens). Enable verbose logging on the TeamCity server and examine standard output and thread dump files for exposed authentication material. Monitor system calls and file access to thread dump locations (/proc/[pid]/task/ on Linux, native debugging interfaces on Windows). Implement secret scanning tools in your logging pipeline to flag credential patterns in thread metadata. Correlate authentication access logs with system-level monitoring to identify when thread information was accessed or exported.

Why prioritize this

Although this vulnerability carries medium severity (CVSS 6.5), it merits prompt attention due to the critical role of TeamCity in CI/CD infrastructure and the high-impact nature of leaked build credentials. The requirement for prior authentication limits mass exploitation, but the ease of exploitation once authenticated and the downstream blast radius make this a priority for insider threat scenarios and compromised-account incidents. Organizations should prioritize patching based on the sensitivity of credentials used by TeamCity and their exposure surface.

Risk score, explained

The CVSS 3.1 score of 6.5 reflects: (1) high confidentiality impact—credentials are extracted without authorization; (2) no integrity or availability impact—the system continues normal operation; (3) network accessibility and low attack complexity—thread names are accessible via standard APIs; (4) authenticated attacker requirement—reducing risk from mass, unauthenticated exploitation. The medium severity appropriately captures that this is a serious information disclosure affecting credential confidentiality but does not directly enable code execution, denial of service, or system compromise.

Frequently asked questions

Does this vulnerability allow unauthenticated credential theft?

No. The vulnerability requires prior authentication to TeamCity (PR:L per the CVSS vector). However, once authenticated—even as a standard user—an attacker can read thread names containing credentials without additional privileges or user interaction.

How can I tell if my TeamCity instance is vulnerable?

Check your TeamCity version number against the advisory. Any version before 2026.1 is affected. To assess exposure, review recent thread dumps, system logs, and monitoring output for any patterns matching API tokens, passwords, or Bearer tokens that may have been leaked.

What types of credentials are typically exposed through thread names?

Credentials commonly embedded in thread names include API tokens for build integrations, service account passwords, authentication headers, and cloud provider access keys used during build execution. The exact exposure depends on how these credentials are passed to and logged by TeamCity during job execution.

Is there a workaround if I cannot patch immediately?

Until you can upgrade to 2026.1, implement additional controls: restrict access to TeamCity monitoring interfaces and thread dump files, rotate credentials regularly, enable secret scanning in logs, and monitor for unauthorized access to diagnostics and logging systems.

This analysis is provided for informational purposes and reflects the publicly available vulnerability record as of the publication date. Always verify patch versions and compatibility against the official JetBrains security advisory before deploying updates. Organizations should conduct their own risk assessment based on their specific TeamCity configuration, credential usage patterns, and access controls. SEC.co does not provide legal or compliance advice; consult your internal security and legal teams regarding regulatory notification requirements if credential exposure is confirmed in your environment. Source: NVD (public-domain), retrieved 2026-07-08. Analysis generated by SEC.co (claude-haiku-4-5).