CVE-2026-49371 Overview
CVE-2026-49371 is a reflected cross-site scripting (XSS) vulnerability in JetBrains TeamCity versions before 2026.1.1. The flaw exists in the keyword filter component, which fails to properly sanitize user-supplied input before reflecting it back in HTTP responses. Attackers can craft malicious URLs containing JavaScript payloads that execute in a victim's browser when followed. Because TeamCity is a continuous integration and deployment (CI/CD) platform, successful exploitation can expose build configurations, source code references, and pipeline credentials. The vulnerability is tracked under [CWE-79] (Improper Neutralization of Input During Web Page Generation).
Critical Impact
Attackers can hijack authenticated TeamCity sessions, steal build secrets, and pivot into connected source code repositories by tricking users into clicking crafted URLs.
Affected Products
- JetBrains TeamCity versions prior to 2026.1.1
- TeamCity on-premises self-hosted deployments
- TeamCity instances exposing the keyword filter interface to authenticated or unauthenticated users
Discovery Timeline
- 2026-05-29 - CVE-2026-49371 published to NVD
- 2026-06-02 - Last updated in NVD database
Technical Details for CVE-2026-49371
Vulnerability Analysis
The vulnerability stems from improper output encoding in the keyword filter feature of TeamCity. When a user submits a search keyword, the application reflects the value back into the rendered HTML response without applying contextual escaping. An attacker who controls the keyword parameter can inject arbitrary HTML or JavaScript that executes in the browser of any user who loads the crafted URL.
Reflected XSS in a CI/CD platform carries significant downstream risk. TeamCity stores VCS credentials, deployment tokens, and artifact repository keys accessible to authenticated build administrators. An attacker who lands script execution in an administrator's browser can issue API requests on their behalf, exfiltrate build logs, or modify build configurations to inject malicious code into downstream releases.
Exploitation requires user interaction, as the victim must visit a crafted link. The scope is changed because the injected script executes in the security context of the TeamCity origin, allowing the attacker to read and modify resources beyond the initial vulnerable component.
Root Cause
The root cause is missing or insufficient HTML entity encoding when the keyword filter parameter is written into the response body. The component trusts client-supplied input and renders it directly into the DOM, violating the principle of contextual output encoding.
Attack Vector
The attack is delivered over the network. An attacker crafts a URL pointing to the vulnerable TeamCity endpoint with a malicious keyword payload. The attacker delivers this URL through phishing email, chat platforms, or a public web page. When an authenticated TeamCity user loads the URL, the payload executes within their session, enabling session token theft, CSRF-style API abuse, or further client-side attacks. Refer to the JetBrains Security Issues Fixed advisory for vendor-confirmed technical details.
Detection Methods for CVE-2026-49371
Indicators of Compromise
- HTTP requests to TeamCity URLs containing encoded <script>, javascript:, or onerror= payloads in the keyword filter parameter
- Outbound requests from TeamCity user browsers to attacker-controlled domains shortly after clicking external links
- Anomalous API calls originating from administrator sessions, especially configuration changes or credential exports
Detection Strategies
- Inspect web proxy and WAF logs for query strings containing HTML or JavaScript syntax targeting TeamCity endpoints
- Correlate TeamCity audit log entries with browser referer headers to identify sessions initiated from suspicious external sources
- Hunt for unusual session token reuse patterns or geographically inconsistent administrator logins following URL clicks
Monitoring Recommendations
- Enable verbose HTTP request logging on the TeamCity reverse proxy and forward logs to a centralized SIEM
- Alert on TeamCity API requests that modify build configurations or VCS connections outside of approved change windows
- Monitor email and chat gateways for inbound URLs referencing TeamCity hostnames with suspicious query parameters
How to Mitigate CVE-2026-49371
Immediate Actions Required
- Upgrade JetBrains TeamCity to version 2026.1.1 or later, where the keyword filter input is properly encoded
- Rotate any VCS tokens, deployment keys, and administrator API tokens that may have been accessible during the exposure window
- Restrict TeamCity administrative access to trusted network ranges using firewall or reverse proxy access control lists
Patch Information
JetBrains addressed CVE-2026-49371 in TeamCity 2026.1.1. Administrators should download the patched build from JetBrains and apply it according to the upgrade procedures documented at the JetBrains Security Issues Fixed page. Verify the running version after upgrade using the TeamCity diagnostics page or the /app/rest/server REST endpoint.
Workarounds
- Place TeamCity behind a web application firewall configured to block reflected XSS patterns in query parameters
- Enforce a strict Content Security Policy (CSP) via the reverse proxy to limit inline script execution in the TeamCity origin
- Require administrators to access TeamCity only through isolated browser profiles that do not handle untrusted external links
# Example nginx reverse proxy hardening for TeamCity
add_header Content-Security-Policy "default-src 'self'; script-src 'self'; object-src 'none'; frame-ancestors 'self';" always;
add_header X-Content-Type-Options "nosniff" always;
add_header X-Frame-Options "SAMEORIGIN" always;
add_header Referrer-Policy "strict-origin-when-cross-origin" always;
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
