CVE-2026-28195 Overview
A missing authorization vulnerability has been identified in JetBrains TeamCity before version 2025.11.3. This security flaw allows authenticated project developers to add parameters to build configurations without proper authorization checks. The vulnerability stems from insufficient access control enforcement (CWE-862), enabling users with developer-level access to modify build configurations beyond their intended permissions.
Critical Impact
Authenticated project developers can manipulate build configuration parameters, potentially leading to unauthorized modifications of CI/CD pipelines, injection of malicious build parameters, or compromise of build integrity.
Affected Products
- JetBrains TeamCity versions prior to 2025.11.3
Discovery Timeline
- 2026-02-25 - CVE-2026-28195 published to NVD
- 2026-02-25 - Last updated in NVD database
Technical Details for CVE-2026-28195
Vulnerability Analysis
This vulnerability represents a Missing Authorization flaw in JetBrains TeamCity's build configuration management system. The issue allows project developers to bypass intended access restrictions when adding parameters to build configurations. In a properly secured TeamCity environment, the ability to modify build configuration parameters should be restricted to users with appropriate administrative or elevated privileges. However, due to the missing authorization check, any authenticated user with basic developer access can perform these modifications.
The attack requires network access and authenticated credentials with at least project developer privileges. While no user interaction is required to exploit this vulnerability, the impact is limited to integrity concerns—specifically the unauthorized modification of build parameters. This could enable an attacker to inject malicious variables, override critical build settings, or manipulate the CI/CD pipeline behavior.
Root Cause
The root cause is improper access control implementation (CWE-862 - Missing Authorization) in the TeamCity build configuration parameter handling functionality. The application fails to verify that the requesting user has sufficient privileges to add parameters to build configurations before processing the request. This oversight allows lower-privileged users to perform actions that should be restricted to administrators or users with elevated permissions.
Attack Vector
The vulnerability is exploitable over the network by authenticated users. An attacker with valid project developer credentials can craft requests to add parameters to build configurations they should not be authorized to modify.
The exploitation flow involves:
- An attacker authenticates to TeamCity with project developer credentials
- The attacker identifies target build configurations
- Through the TeamCity interface or API, the attacker submits requests to add parameters to build configurations
- Due to the missing authorization check, TeamCity processes these requests without validating the user's permission level
- The unauthorized parameters are added to the build configuration
For technical implementation details, refer to the JetBrains Security Advisory.
Detection Methods for CVE-2026-28195
Indicators of Compromise
- Unexpected or unauthorized parameters appearing in build configurations
- Audit log entries showing build configuration modifications by users without appropriate privileges
- Unusual API requests targeting build configuration parameter endpoints from developer accounts
Detection Strategies
- Review TeamCity audit logs for build configuration parameter modifications by users who should not have such access
- Monitor API access patterns for unusual parameter modification requests from developer-level accounts
- Implement alerting on build configuration changes that occur outside of approved change windows
- Compare current build configuration parameters against known-good baselines to detect unauthorized additions
Monitoring Recommendations
- Enable comprehensive audit logging for all build configuration modifications in TeamCity
- Implement real-time alerting for parameter changes in critical build configurations
- Regularly review user permissions and access levels to ensure principle of least privilege
- Deploy network monitoring to track API requests to TeamCity build configuration endpoints
How to Mitigate CVE-2026-28195
Immediate Actions Required
- Upgrade JetBrains TeamCity to version 2025.11.3 or later immediately
- Audit existing build configurations for any unauthorized parameter additions
- Review and verify user permission assignments across all projects
- Implement additional access controls at the network level to restrict TeamCity management access
Patch Information
JetBrains has addressed this vulnerability in TeamCity version 2025.11.3. Organizations should upgrade to this version or later to remediate the issue. For detailed information about security fixes, refer to the JetBrains Security Issues Fixed page.
Workarounds
- Restrict network access to TeamCity administrative interfaces using firewall rules or network segmentation
- Implement additional authentication layers such as VPN requirements for TeamCity access
- Limit the number of users with project developer access to reduce the attack surface
- Enable and monitor audit logging to detect any exploitation attempts before patching
# Example: Restrict TeamCity access at the network level
# Add firewall rules to limit access to trusted IP ranges
iptables -A INPUT -p tcp --dport 8111 -s trusted_network_cidr -j ACCEPT
iptables -A INPUT -p tcp --dport 8111 -j DROP
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
