CVE-2026-28194 Overview
CVE-2026-28194 is an open redirect vulnerability discovered in JetBrains TeamCity, a popular continuous integration and continuous delivery (CI/CD) server. The vulnerability exists in the React project creation flow, allowing attackers to craft malicious URLs that redirect users to arbitrary external websites. This type of vulnerability is classified under CWE-601 (URL Redirection to Untrusted Site, also known as 'Open Redirect').
Open redirect vulnerabilities are particularly dangerous in enterprise CI/CD environments like TeamCity because they can be leveraged for phishing attacks, credential theft, and as a stepping stone for more sophisticated attack chains against development infrastructure.
Critical Impact
Attackers can exploit this open redirect to craft convincing phishing URLs using the trusted TeamCity domain, potentially leading to credential theft or malware distribution targeting developers and DevOps teams.
Affected Products
- JetBrains TeamCity versions prior to 2025.11.3
Discovery Timeline
- 2026-02-25 - CVE-2026-28194 published to NVD
- 2026-02-25 - Last updated in NVD database
Technical Details for CVE-2026-28194
Vulnerability Analysis
This open redirect vulnerability occurs within the React project creation workflow of JetBrains TeamCity. The application fails to properly validate or sanitize URL parameters that control redirect destinations during the project setup process. When a user interacts with the project creation interface, the application accepts URL parameters that can redirect users to external, potentially malicious websites.
The vulnerability requires user interaction to exploit, as victims must click on a crafted link. However, because the initial URL points to a legitimate TeamCity server, users may trust the link and follow it without suspicion. The scope of the vulnerability is changed (marked as "Changed" in CVSS), meaning the vulnerable component impacts resources beyond its security scope.
Root Cause
The root cause of CVE-2026-28194 is insufficient input validation in the URL redirect logic within the React project creation flow. The application accepts user-controllable input for redirect destinations without properly verifying that the target URL belongs to the same domain or an allowlisted set of trusted domains. This violates the security principle of validating all user input, particularly for security-sensitive operations like URL redirections.
Attack Vector
The attack is network-based and requires an attacker to craft a malicious URL that exploits the open redirect vulnerability. The typical attack flow involves:
- An attacker identifies the vulnerable endpoint in the React project creation flow
- The attacker constructs a malicious URL pointing to the legitimate TeamCity server but containing a redirect parameter to an attacker-controlled site
- The attacker distributes this URL through phishing emails, social engineering, or other channels
- When a victim clicks the link, they are first directed to the trusted TeamCity server, then immediately redirected to the malicious destination
- The attacker's site may host credential harvesting pages, malware, or other malicious content
This attack is particularly effective because the initial URL appears legitimate and may bypass email security filters that check only the primary domain.
Detection Methods for CVE-2026-28194
Indicators of Compromise
- Unusual redirect parameters in TeamCity access logs containing external domains
- HTTP requests to TeamCity project creation endpoints with suspicious URL parameters
- User reports of unexpected redirects when accessing TeamCity links
- Network traffic showing redirects from TeamCity servers to unknown external domains
Detection Strategies
- Monitor web application firewall (WAF) logs for requests containing redirect parameters pointing to external domains
- Implement URL parameter analysis on TeamCity endpoints to detect potential open redirect attempts
- Review access logs for unusual patterns in the project creation workflow
- Deploy network monitoring to detect unexpected outbound redirects from TeamCity infrastructure
Monitoring Recommendations
- Enable verbose logging on TeamCity servers to capture full request URLs including parameters
- Configure SIEM rules to alert on redirect patterns to untrusted domains originating from TeamCity
- Implement user behavior analytics to detect anomalous access patterns to project creation endpoints
- Establish baseline traffic patterns for TeamCity and alert on deviations
How to Mitigate CVE-2026-28194
Immediate Actions Required
- Upgrade JetBrains TeamCity to version 2025.11.3 or later immediately
- Review access logs for any evidence of exploitation attempts
- Alert users about potential phishing attacks leveraging TeamCity URLs
- Implement network-level controls to restrict outbound redirects if possible
Patch Information
JetBrains has addressed this vulnerability in TeamCity version 2025.11.3. Organizations should upgrade to this version or later to remediate CVE-2026-28194. The patch implements proper validation of redirect URLs to ensure they point only to trusted destinations within the application's domain.
For detailed information about security fixes, refer to the JetBrains Security Issues Fixed advisory page.
Workarounds
- Deploy a web application firewall (WAF) with rules to block requests containing external URLs in redirect parameters
- Implement network egress filtering to restrict redirects from TeamCity to only approved domains
- Educate users to verify URLs carefully before clicking links, even if they appear to originate from trusted internal systems
- Consider restricting access to the project creation flow to authenticated users only via network segmentation
- Use browser extensions or security tools that warn users about redirect chains
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
