VYPR
Vypr IntelligenceAI-generatedMay 31, 2026· 11 CVEs

JetBrains TeamCity: 11 CVEs in Bulk Disclosure — RCE, SSRF, and Credential Leaks Patched in 2026.1

JetBrains patched 11 security vulnerabilities in TeamCity on May 29, 2026, including a high-severity RCE via Perforce connection settings and an unauthenticated SSRF, all fixed in version 2026.1.

Key findings

  • RCE via Perforce connection settings (CVE-2026-49373, CVSS 7.1) is the most dangerous bug in the batch
  • Unauthenticated SSRF (CVE-2026-49372, CVSS 7.5) requires no credentials to exploit
  • Credential exposure via thread names (CVE-2026-49379) and autocompletion (CVE-2026-49378) affect credential hygiene
  • Three reflected XSS bugs patched; one stored XSS on the SAML login page
  • All 11 CVEs fixed in TeamCity 2026.1; subset backported to 2025.11.5
  • No active exploitation reported as of disclosure date

JetBrains released TeamCity 2026.1 on May 29, 2026, bundling fixes for 11 distinct security vulnerabilities disclosed in a single advisory batch. The cluster spans low-severity XSS and open redirect issues up to high-severity flaws including remote code execution, unauthenticated server-side request forgery (SSRF), and improper permission checks that could expose build configuration parameters. Users running any version prior to 2026.1 — or, for a subset of bugs, prior to 2025.11.5 — are urged to upgrade immediately.

Remote code execution and SSRF top the severity list. The most critical finding is CVE-2026-49373 (CVSS 7.1, High), a remote code execution vulnerability reachable through Perforce connection settings. An attacker with sufficient access to configure a Perforce VCS root could leverage this to execute arbitrary code on the TeamCity server. Equally concerning is CVE-2026-49372 (CVSS 7.5, High), an unauthenticated SSRF via the build status feature — this bug requires no authentication to exploit and could allow an attacker to probe internal network resources from the TeamCity host. Both vulnerabilities are fixed in TeamCity 2026.1, with CVE-2026-49372 also patched in the backport release 2025.11.5.

Permission and credential exposure bugs form the largest thematic group. CVE-2026-49374 (CVSS 7.6, High) stems from improper permission checks that could expose build configuration parameters to unauthorized users. Two medium-severity CVEs target credential leakage through different channels: CVE-2026-49379 (CVSS 6.5) describes credentials exposed in thread names, while CVE-2026-49378 (CVSS 4.3) covers credential parameters leaked via the parameter autocompletion feature. Additionally, CVE-2026-49377 (CVSS 4.3) exposes sensitive data through default agent parameters in versions before 2025.11.2.

Cross-site scripting and SAML plugin issues round out the batch. Three reflected XSS vulnerabilities were disclosed: CVE-2026-49375 (CVSS 6.1) on the repository download page, and CVE-2026-49371 (CVSS 7.1, High) in the keyword filter — both patched in 2026.1 and 2025.11.5. A stored XSS, CVE-2026-49381 (CVSS 3.4, Low), affects the SAML login page. The SAML plugin also carries CVE-2026-49380 (CVSS 3.1, Low), an open redirect, and CVE-2026-49376 (CVSS 6.5, Medium), which allows insufficient username validation that could enable account manipulation in SAML-authenticated environments.

Patch status and mitigations. All 11 CVEs are addressed in TeamCity 2026.1. For users unable to upgrade immediately, JetBrains has also backported fixes for CVE-2026-49375, CVE-2026-49372, and CVE-2026-49371 to the 2025.11.x release line, available in version 2025.11.5. CVE-2026-49377 was fixed in the earlier 2025.11.2 release. No in-the-wild exploitation has been publicly reported as of the disclosure date, but the presence of an unauthenticated SSRF (CVE-2026-49372) and a Perforce-triggered RCE (CVE-2026-49373) makes timely patching a priority for any organization running TeamCity as part of their CI/CD pipeline.

Why this batch matters. TeamCity is a widely adopted build server and continuous integration platform, often positioned with access to source code repositories, credentials, and internal network resources. The breadth of this disclosure — spanning credential leaks, XSS, SSRF, and RCE — reflects a thorough internal audit by JetBrains. For administrators, the key takeaway is that the 2026.1 release is a mandatory upgrade, not a routine feature update. Organizations still on the 2025.11 branch should at minimum reach 2025.11.5 to close the three highest-priority issues backported there.

AI-written article. Grounded in 11 CVE records listed below.