CVE-2026-49381: Stored XSS in JetBrains TeamCity SAML Login
CVE-2026-49381 is a stored cross-site scripting (XSS) vulnerability in JetBrains TeamCity's SAML login page that existed prior to version 2026.1. An attacker with high privileges could inject malicious scripts into the login interface, which would then execute in the browsers of users who interact with that page. The vulnerability requires user interaction to trigger and has limited scope, affecting only the confidentiality of information visible to the victim during their session.
Source data · NVD / CISA · public domain
- CVSS
- 3.1 · 3.4 LOW · CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:N/A:N
- Weaknesses (CWE)
- CWE-79
- Affected products
- 1 configuration(s)
- Published / Modified
- 2026-05-29 / 2026-06-17
NVD description (verbatim)
In JetBrains TeamCity before 2026.1 stored XSS on the SAML login page was possible
1 reference(s) · View on NVD →
SEC.co analysis · AI-assisted, reviewed against source
Technical summary
This is a stored XSS vulnerability (CWE-79) in TeamCity's SAML authentication endpoint. The flaw allows a high-privileged attacker to persist malicious JavaScript in the SAML login page context. When users visit the affected page, the injected script executes with the privileges of that user's session. The network attack surface is low complexity, suggesting the injection point is straightforward once privileged access is obtained. The vulnerability does not permit privilege escalation or system compromise; its impact is confined to session-scoped information disclosure on the client side.
Business impact
Organizations using TeamCity for CI/CD automation may experience reduced user confidence in their authentication system if this vulnerability is exploited. An insider or compromised administrator could inject convincing phishing content or session-stealing payloads into the SAML login page, potentially harvesting credentials or tokens. However, the requirement for high-level privileges significantly limits opportunistic exploitation. The low CVSS score reflects that this is primarily a supply-chain or insider-threat risk rather than a vector for broad system compromise.
Affected systems
JetBrains TeamCity versions prior to 2026.1 are affected. Organizations running TeamCity deployments with SAML authentication enabled are in scope. The vulnerability does not affect non-SAML authentication methods. Verify your running version against vendor advisories to confirm whether your deployment is within the vulnerable range.
Exploitability
Exploitation requires high-level administrative or system access within TeamCity, making mass exploitation unlikely. An attacker must already have sufficient privileges to inject content into the SAML login page—a capability typically restricted to admins. The vulnerability is not listed on CISA's Known Exploited Vulnerabilities catalog, indicating no public evidence of active weaponization or in-the-wild attacks. Opportunistic scanning or unauthenticated exploitation is not feasible.
Remediation
Upgrade JetBrains TeamCity to version 2026.1 or later, which resolves the stored XSS vulnerability on the SAML login page. Review access controls to ensure that only trusted administrators have the ability to modify TeamCity configuration and authentication settings. Validate that your SAML identity provider configuration is correct and that no unexpected modifications have been made to the login interface.
Patch guidance
JetBrains has addressed this vulnerability in TeamCity 2026.1. Consult the official JetBrains TeamCity release notes and security advisories to confirm the exact version and any compatibility considerations before deployment. Plan the upgrade during a maintenance window, as it may require a brief service restart. Test the upgrade in a non-production environment first to verify that SAML authentication continues to function correctly.
Detection guidance
Monitor TeamCity audit logs for unexpected modifications to SAML login page configuration or authentication settings, particularly changes made by administrative accounts. Review browser console logs and HTTP responses from the SAML login endpoint for injected script tags or suspicious JavaScript. Implement content security policy (CSP) headers on the TeamCity login page to mitigate the impact of any stored XSS. Perform regular security reviews of admin access and look for unusual privilege elevation or account activity patterns.
Why prioritize this
Although this vulnerability carries a low CVSS score, it warrants attention in organizations where TeamCity administrators are not fully trusted or where SAML login pages are exposed to a wider user base. The fixed version is readily available, and remediation is straightforward. Prioritize this for environments with strict authentication security policies or those that have experienced prior insider threats. For most organizations, standard patching schedules are appropriate.
Risk score, explained
The CVSS 3.1 score of 3.4 (LOW) reflects the limited attack surface: high privileges are required, user interaction is necessary, and the impact is confined to confidentiality within a single session. There is no attack vector for authentication bypass, denial of service, or system-level compromise. The stored nature of the XSS elevates concern beyond a reflected variant, but the privilege barrier prevents this from being a critical issue.
Frequently asked questions
Can an unauthenticated attacker exploit this vulnerability?
No. The vulnerability requires high-level administrative privileges within TeamCity to inject the malicious script. Unauthenticated users cannot inject content into the SAML login page.
Does this vulnerability allow an attacker to bypass SAML authentication or compromise TeamCity itself?
No. The vulnerability is limited to client-side script injection visible to users on the login page. It does not enable authentication bypass, privilege escalation, or access to TeamCity's backend systems. The impact is confined to potential credential theft or phishing if exploited.
Is this vulnerability being actively exploited in the wild?
No evidence of active exploitation has been reported. The vulnerability is not listed on CISA's Known Exploited Vulnerabilities catalog. It is a privilege-gated flaw that would require insider access or system compromise to weaponize.
What should I do if I cannot update TeamCity immediately?
Restrict administrative access to only trusted users, monitor audit logs for unauthorized configuration changes, and implement network-level controls to limit who can access the TeamCity login interface. Apply a web application firewall rule to detect and block injected script patterns if possible.
This analysis is provided for informational purposes and based on publicly available vulnerability data as of the publication date. Verify all technical details, affected version ranges, and patch availability directly with JetBrains official advisories before taking remediation action. SEC.co makes no warranty regarding the completeness or accuracy of this analysis. Organizations should conduct their own risk assessment based on their specific TeamCity deployment, authentication architecture, and access controls. Source: NVD (public-domain), retrieved 2026-07-08. Analysis generated by SEC.co (claude-haiku-4-5).
Related vulnerabilities
- CVE-2026-49368HIGHJetBrains YouTrack Stored XSS in Notification Templates (CVSS 8.7)
- CVE-2026-49371HIGHReflected XSS in JetBrains TeamCity Keyword Filter
- CVE-2026-49375MEDIUMTeamCity Reflected XSS on Repository Download Page – Patch Guidance
- CVE-2026-49384MEDIUMStored XSS in JetBrains PyCharm Jupyter Notebooks
- CVE-2026-10112LOWXSS in STUDENT-MANAGEMENT-SYSTEM 1.0 Dashboard
- CVE-2026-10228LOWXSS Vulnerability in raisulislamg4 Student Management System
- CVE-2026-10234LOWMettle Sendportal XSS Vulnerability – Campaign Handler Remote Exploit
- CVE-2026-10244LOWSourceCodester Pharmacy Sales and Inventory System XSS Vulnerability