JetBrains TeamCity: 11 CVEs in Bulk Disclosure — RCE, SSRF, and Credential Leaks Patched in 2026.1
JetBrains patched 11 security vulnerabilities in TeamCity on May 29, 2026, including a high-severity RCE via Perforce connection settings and an unauthenticated SSRF, all fixed in version 2026.1.
JetBrains released TeamCity 2026.1 on May 29, 2026, bundling fixes for 11 distinct security vulnerabilities disclosed in a single advisory batch. The cluster spans low-severity XSS and open redirect issues up to high-severity flaws including remote code execution, unauthenticated server-side request forgery (SSRF), and improper permission checks that could expose build configuration parameters. Users running any version prior to 2026.1 — or, for a subset of bugs, prior to 2025.11.5 — are urged to upgrade immediately.
Remote code execution and SSRF top the severity list. The most critical finding is CVE-2026-49373 (CVSS 7.1, High), a remote code execution vulnerability reachable through Perforce connection settings. An attacker with sufficient access to configure a Perforce VCS root could leverage this to execute arbitrary code on the TeamCity server. Equally concerning is CVE-2026-49372 (CVSS 7.5, High), an unauthenticated SSRF via the build status feature — this bug requires no authentication to exploit and could allow an attacker to probe internal network resources from the TeamCity host. Both vulnerabilities are fixed in TeamCity 2026.1, with CVE-2026-49372 also patched in the backport release 2025.11.5.
Permission and credential exposure bugs form the largest thematic group. CVE-2026-49374 (CVSS 7.6, High) stems from improper permission checks that could expose build configuration parameters to unauthorized users. Two medium-severity CVEs target credential leakage through different channels: CVE-2026-49379 (CVSS 6.5) describes credentials exposed in thread names, while CVE-2026-49378 (CVSS 4.3) covers credential parameters leaked via the parameter autocompletion feature. Additionally, CVE-2026-49377 (CVSS 4.3) exposes sensitive data through default agent parameters in versions before 2025.11.2.
Cross-site scripting and SAML plugin issues round out the batch. Three reflected XSS vulnerabilities were disclosed: CVE-2026-49375 (CVSS 6.1) on the repository download page, and CVE-2026-49371 (CVSS 7.1, High) in the keyword filter — both patched in 2026.1 and 2025.11.5. A stored XSS, CVE-2026-49381 (CVSS 3.4, Low), affects the SAML login page. The SAML plugin also carries CVE-2026-49380 (CVSS 3.1, Low), an open redirect, and CVE-2026-49376 (CVSS 6.5, Medium), which allows insufficient username validation that could enable account manipulation in SAML-authenticated environments.
Patch status and mitigations. All 11 CVEs are addressed in TeamCity 2026.1. For users unable to upgrade immediately, JetBrains has also backported fixes for CVE-2026-49375, CVE-2026-49372, and CVE-2026-49371 to the 2025.11.x release line, available in version 2025.11.5. CVE-2026-49377 was fixed in the earlier 2025.11.2 release. No in-the-wild exploitation has been publicly reported as of the disclosure date, but the presence of an unauthenticated SSRF (CVE-2026-49372) and a Perforce-triggered RCE (CVE-2026-49373) makes timely patching a priority for any organization running TeamCity as part of their CI/CD pipeline.
Why this batch matters. TeamCity is a widely adopted build server and continuous integration platform, often positioned with access to source code repositories, credentials, and internal network resources. The breadth of this disclosure — spanning credential leaks, XSS, SSRF, and RCE — reflects a thorough internal audit by JetBrains. For administrators, the key takeaway is that the 2026.1 release is a mandatory upgrade, not a routine feature update. Organizations still on the 2025.11 branch should at minimum reach 2025.11.5 to close the three highest-priority issues backported there.