LOW 3.4

CVE-2026-49381: Stored XSS in JetBrains TeamCity SAML Login

CVE-2026-49381 is a stored cross-site scripting (XSS) vulnerability in JetBrains TeamCity's SAML login page that existed prior to version 2026.1. An attacker with high privileges could inject malicious scripts into the login interface, which would then execute in the browsers of users who interact with that page. The vulnerability requires user interaction to trigger and has limited scope, affecting only the confidentiality of information visible to the victim during their session.

Source data · NVD / CISA · public domain

CVSS
3.1 · 3.4 LOW · CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:N/A:N
Weaknesses (CWE)
CWE-79
Affected products
1 configuration(s)
Published / Modified
2026-05-29 / 2026-06-17

NVD description (verbatim)

In JetBrains TeamCity before 2026.1 stored XSS on the SAML login page was possible

1 reference(s) · View on NVD →

SEC.co analysis · AI-assisted, reviewed against source

Technical summary

This is a stored XSS vulnerability (CWE-79) in TeamCity's SAML authentication endpoint. The flaw allows a high-privileged attacker to persist malicious JavaScript in the SAML login page context. When users visit the affected page, the injected script executes with the privileges of that user's session. The network attack surface is low complexity, suggesting the injection point is straightforward once privileged access is obtained. The vulnerability does not permit privilege escalation or system compromise; its impact is confined to session-scoped information disclosure on the client side.

Business impact

Organizations using TeamCity for CI/CD automation may experience reduced user confidence in their authentication system if this vulnerability is exploited. An insider or compromised administrator could inject convincing phishing content or session-stealing payloads into the SAML login page, potentially harvesting credentials or tokens. However, the requirement for high-level privileges significantly limits opportunistic exploitation. The low CVSS score reflects that this is primarily a supply-chain or insider-threat risk rather than a vector for broad system compromise.

Affected systems

JetBrains TeamCity versions prior to 2026.1 are affected. Organizations running TeamCity deployments with SAML authentication enabled are in scope. The vulnerability does not affect non-SAML authentication methods. Verify your running version against vendor advisories to confirm whether your deployment is within the vulnerable range.

Exploitability

Exploitation requires high-level administrative or system access within TeamCity, making mass exploitation unlikely. An attacker must already have sufficient privileges to inject content into the SAML login page—a capability typically restricted to admins. The vulnerability is not listed on CISA's Known Exploited Vulnerabilities catalog, indicating no public evidence of active weaponization or in-the-wild attacks. Opportunistic scanning or unauthenticated exploitation is not feasible.

Remediation

Upgrade JetBrains TeamCity to version 2026.1 or later, which resolves the stored XSS vulnerability on the SAML login page. Review access controls to ensure that only trusted administrators have the ability to modify TeamCity configuration and authentication settings. Validate that your SAML identity provider configuration is correct and that no unexpected modifications have been made to the login interface.

Patch guidance

JetBrains has addressed this vulnerability in TeamCity 2026.1. Consult the official JetBrains TeamCity release notes and security advisories to confirm the exact version and any compatibility considerations before deployment. Plan the upgrade during a maintenance window, as it may require a brief service restart. Test the upgrade in a non-production environment first to verify that SAML authentication continues to function correctly.

Detection guidance

Monitor TeamCity audit logs for unexpected modifications to SAML login page configuration or authentication settings, particularly changes made by administrative accounts. Review browser console logs and HTTP responses from the SAML login endpoint for injected script tags or suspicious JavaScript. Implement content security policy (CSP) headers on the TeamCity login page to mitigate the impact of any stored XSS. Perform regular security reviews of admin access and look for unusual privilege elevation or account activity patterns.

Why prioritize this

Although this vulnerability carries a low CVSS score, it warrants attention in organizations where TeamCity administrators are not fully trusted or where SAML login pages are exposed to a wider user base. The fixed version is readily available, and remediation is straightforward. Prioritize this for environments with strict authentication security policies or those that have experienced prior insider threats. For most organizations, standard patching schedules are appropriate.

Risk score, explained

The CVSS 3.1 score of 3.4 (LOW) reflects the limited attack surface: high privileges are required, user interaction is necessary, and the impact is confined to confidentiality within a single session. There is no attack vector for authentication bypass, denial of service, or system-level compromise. The stored nature of the XSS elevates concern beyond a reflected variant, but the privilege barrier prevents this from being a critical issue.

Frequently asked questions

Can an unauthenticated attacker exploit this vulnerability?

No. The vulnerability requires high-level administrative privileges within TeamCity to inject the malicious script. Unauthenticated users cannot inject content into the SAML login page.

Does this vulnerability allow an attacker to bypass SAML authentication or compromise TeamCity itself?

No. The vulnerability is limited to client-side script injection visible to users on the login page. It does not enable authentication bypass, privilege escalation, or access to TeamCity's backend systems. The impact is confined to potential credential theft or phishing if exploited.

Is this vulnerability being actively exploited in the wild?

No evidence of active exploitation has been reported. The vulnerability is not listed on CISA's Known Exploited Vulnerabilities catalog. It is a privilege-gated flaw that would require insider access or system compromise to weaponize.

What should I do if I cannot update TeamCity immediately?

Restrict administrative access to only trusted users, monitor audit logs for unauthorized configuration changes, and implement network-level controls to limit who can access the TeamCity login interface. Apply a web application firewall rule to detect and block injected script patterns if possible.

This analysis is provided for informational purposes and based on publicly available vulnerability data as of the publication date. Verify all technical details, affected version ranges, and patch availability directly with JetBrains official advisories before taking remediation action. SEC.co makes no warranty regarding the completeness or accuracy of this analysis. Organizations should conduct their own risk assessment based on their specific TeamCity deployment, authentication architecture, and access controls. Source: NVD (public-domain), retrieved 2026-07-08. Analysis generated by SEC.co (claude-haiku-4-5).