JetBrains Patches High-Severity TeamCity Privilege Escalation Flaw (CVE-2026-44413)
JetBrains has released a fix for CVE-2026-44413, a high-severity privilege escalation vulnerability in TeamCity On-Premises that could expose REST API endpoints and leak sensitive credentials.
JetBrains has patched a high-severity vulnerability (CVE-2026-44413) in TeamCity, its popular continuous integration and continuous delivery platform, and is urging organizations with on-premises and self-managed deployments to upgrade to the fixed version or implement a security patch.
The flaw, discovered by researcher Martin Orem of offensive security services provider Binary House, allows for privilege escalation and may allow attackers to expose some parts of the TeamCity server API to unauthorized users. TeamCity's REST API is extensive, with many endpoints, some of which may expose sensitive information such as API tokens; Git credentials; secrets and passwords used in builds; build logs; usernames, email addresses and user roles. Some of these secrets may be leveraged to access cloud infrastructure or source code repositories, and potentially compromise software delivery pipelines.
While exploitation of CVE-2026-44413 requires access to a TeamCity account, those can be acquired via brute force or credential stuffing attacks, from leaks of credentials stolen in previous breaches, or through social engineering. TeamCity instances occasionally have enabled "guest access," allowing anyone to log in without credentials, further lowering the barrier to exploitation.
The vulnerability affects TeamCity On-Premises versions 2025.11.4 and earlier, and has been fixed in version 2026.1. The company also released a security patch plugin that can be installed on TeamCity versions 2017.1 and later. JetBrains noted that the vulnerability affects all TeamCity installations where the firewall permits inbound connections on ports other than the standard HTTP/HTTPS one used by TeamCity, or where build agents are running on the same host as the TeamCity server.
In the past, JetBrains TeamCity on-premises servers have been targeted by both state-sponsored and financially motivated threat actors, leveraging authentication bypass (CVE-2023-42793, CVE-2024-27198) and patch traversal (CVE-2024-27199) vulnerabilities. While there is currently no mention of CVE-2026-44413 being exploited in the wild, the history of active attacks against TeamCity makes prompt patching critical.
Organizations running TeamCity on-premises should immediately upgrade to version 2026.1 or apply the security patch plugin immediately. As a general best practice, JetBrains strongly recommends restricting inbound network access to only required ports to reduce the attack surface.