CVE-2026-44413 Overview
CVE-2026-44413 affects JetBrains TeamCity versions before 2026.1 and 2025.11.5. The vulnerability allows authenticated users to expose server API endpoints to unauthorised access. The flaw is categorized under [CWE-306] Missing Authentication for a Critical Function. JetBrains addressed the issue in the cumulative 2026.1 and 2025.11.5 releases.
TeamCity is a continuous integration and deployment (CI/CD) server used to build, test, and deploy software. Exposure of server APIs in CI/CD platforms can leak build configurations, artifacts, source code references, and operational metadata.
Critical Impact
Authenticated users can expose internal server API surfaces to unauthorised parties, enabling confidentiality loss across TeamCity build infrastructure.
Affected Products
- JetBrains TeamCity versions before 2026.1
- JetBrains TeamCity versions before 2025.11.5
- All TeamCity on-premise deployments running affected builds
Discovery Timeline
- 2026-05-11 - CVE-2026-44413 published to NVD
- 2026-05-12 - Last updated in NVD database
Technical Details for CVE-2026-44413
Vulnerability Analysis
The vulnerability resides in the authorization layer of TeamCity's server API. Authenticated users can perform actions that expose API endpoints or responses to parties that should not have access. The issue maps to [CWE-306] Missing Authentication for a Critical Function, indicating that a critical operation lacks adequate authentication or access-control enforcement.
Because the attack vector is network-based and requires no privileges or user interaction in the standard CVSS interpretation, the exposure can be reached remotely once the API surface is accessible. Confidentiality is the primary impact; integrity and availability are not affected per the published vector.
The EPSS probability for active exploitation remains low at the time of publication, and no public proof-of-concept code has been released.
Root Cause
The root cause is missing or insufficient authentication enforcement on a server API path inside TeamCity. The server accepts requests against endpoints that should be gated by stricter access checks. JetBrains has not published low-level technical details of the affected endpoint.
Attack Vector
An authenticated TeamCity user interacts with the affected API surface and causes information that should remain restricted to become reachable by unauthorised actors. The vulnerability is reachable over the network on any TeamCity instance exposing its web UI or REST API.
No verified exploit code is currently available. The vulnerability is described in prose only — see the JetBrains Privacy and Security Issues Fixed advisory for vendor guidance.
Detection Methods for CVE-2026-44413
Indicators of Compromise
- Unexpected REST API calls from authenticated user accounts to endpoints those accounts do not normally use.
- API responses containing build configuration, project, or artifact metadata returned to clients outside the expected authorization scope.
- Anomalous spikes in /app/rest/ request volume in TeamCity access logs.
Detection Strategies
- Review TeamCity access logs (logs/teamcity-rest.log and teamcity-server.log) for API requests that reference projects or build configurations the calling user is not assigned to.
- Compare user role assignments against API request patterns to identify lateral access attempts.
- Inspect HTTP Referer and source IP patterns to identify scripted enumeration of API endpoints.
Monitoring Recommendations
- Forward TeamCity server and REST logs to a centralized log platform with alerting on high-frequency REST enumeration.
- Enable audit logging for permission changes and API token issuance, and review weekly.
- Track outbound transfers of build artifacts and review any large or unexpected downloads by authenticated accounts.
How to Mitigate CVE-2026-44413
Immediate Actions Required
- Upgrade TeamCity to version 2026.1 or 2025.11.5 or later.
- Audit all active user accounts and revoke any that are no longer required.
- Rotate API tokens issued before the upgrade, particularly those tied to service accounts.
Patch Information
JetBrains fixed CVE-2026-44413 in TeamCity 2026.1 and the maintenance release 2025.11.5. Patch details and the consolidated security bulletin are available in the JetBrains Privacy and Security Issues Fixed advisory. Apply the upgrade through the standard TeamCity upgrade workflow.
Workarounds
- Restrict TeamCity server reachability to trusted networks and VPN-attached administrators until the patch is applied.
- Reduce account privileges so that authenticated users hold only the minimum role required for their projects.
- Place TeamCity behind a reverse proxy that enforces additional authentication on the /app/rest/ path.
# Example: restrict REST API access at the reverse proxy (nginx)
location /app/rest/ {
allow 10.0.0.0/8;
deny all;
proxy_pass http://teamcity-backend;
}
: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
