CVE-2026-28196 Overview
CVE-2026-28196 is an Incomplete Cleanup vulnerability (CWE-459) in JetBrains TeamCity that affects versions prior to 2025.11.3. When versioned settings are disabled in TeamCity, the application fails to properly remove credentials configuration files from disk, potentially leaving sensitive authentication data accessible to local users with elevated privileges.
Critical Impact
Sensitive credentials may remain on disk after disabling versioned settings, potentially exposing authentication secrets to privileged local attackers.
Affected Products
- JetBrains TeamCity versions prior to 2025.11.3
Discovery Timeline
- February 25, 2026 - CVE CVE-2026-28196 published to NVD
- February 25, 2026 - Last updated in NVD database
Technical Details for CVE-2026-28196
Vulnerability Analysis
This vulnerability falls under CWE-459 (Incomplete Cleanup), which occurs when an application does not properly clean up and remove temporary or persistent data when resources are no longer needed. In this case, JetBrains TeamCity fails to delete credentials configuration files from the filesystem when the versioned settings feature is disabled.
The impact of this vulnerability is primarily information disclosure. An attacker with local access and high privileges on the system where TeamCity is installed could potentially access residual credentials files that should have been removed. These credentials could then be used to gain unauthorized access to connected systems, version control repositories, or other integrated services that TeamCity was configured to access.
Root Cause
The root cause of this vulnerability is an incomplete cleanup routine in TeamCity's versioned settings management functionality. When a user disables versioned settings through the TeamCity interface, the application correctly updates its internal configuration state but fails to remove the associated credentials configuration file from the local disk. This oversight leaves sensitive credential data persisted in the filesystem even after the feature has been deactivated.
Attack Vector
Exploitation of this vulnerability requires local access to the system running TeamCity and high privileges. An attacker would need to:
- Gain local access to the server or workstation where TeamCity is installed
- Have elevated privileges sufficient to read files in the TeamCity configuration directories
- Locate the residual credentials configuration file left behind after versioned settings were disabled
- Extract and potentially abuse the stored credentials
The attack does not require user interaction and the scope is unchanged, meaning the vulnerability only affects the vulnerable component itself without impacting other components.
Detection Methods for CVE-2026-28196
Indicators of Compromise
- Presence of credentials configuration files in TeamCity's configuration directories after versioned settings have been disabled
- Unexpected file access or read operations on TeamCity configuration directories by non-service accounts
- Audit log entries showing access to versioned settings credential files by privileged users
Detection Strategies
- Monitor file system access to TeamCity configuration directories, particularly for read operations on credential-related files
- Implement file integrity monitoring (FIM) on TeamCity installation directories to detect unauthorized access
- Review TeamCity audit logs for changes to versioned settings configuration
- Scan for residual credential files that may exist after feature deactivation
Monitoring Recommendations
- Enable detailed audit logging for file access in TeamCity configuration directories
- Configure alerts for any access to credential configuration files by users other than the TeamCity service account
- Periodically audit the TeamCity configuration directory for orphaned credential files
How to Mitigate CVE-2026-28196
Immediate Actions Required
- Upgrade JetBrains TeamCity to version 2025.11.3 or later
- Manually audit and remove any residual credentials configuration files from disk if versioned settings were previously disabled
- Rotate any credentials that may have been stored in the affected configuration files
- Review access logs for signs of unauthorized credential file access
Patch Information
JetBrains has addressed this vulnerability in TeamCity version 2025.11.3. Organizations should upgrade to this version or later to remediate the issue. For more information about this and other fixed security issues, refer to the JetBrains Security Issues Fixed page.
Workarounds
- Manually delete any residual credentials configuration files after disabling versioned settings
- Restrict local access to the TeamCity server to only essential administrators
- Implement strict file system permissions on TeamCity configuration directories to limit read access
- Consider enabling file integrity monitoring on critical configuration directories until patching is complete
# Configuration example - Restrict permissions on TeamCity config directory
# Linux example:
chmod 700 /opt/TeamCity/config
chown -R teamcity:teamcity /opt/TeamCity/config
# Windows example (PowerShell):
# icacls "C:\TeamCity\config" /inheritance:r /grant "SYSTEM:F" /grant "Administrators:R"
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
