CVE-2026-49374 Overview
CVE-2026-49374 affects JetBrains TeamCity versions before 2026.1. The vulnerability stems from improper permission checks that expose build configuration parameters to authenticated users who should not have access. An attacker with low-level privileges on the network can retrieve sensitive build parameters that may contain secrets, credentials, or environment-specific configuration data. The flaw is categorized under CWE-862: Missing Authorization. JetBrains has addressed the issue in TeamCity 2026.1 and lists it on the official JetBrains Security Issues Fixed page.
Critical Impact
Authenticated attackers can access build configuration parameters that may contain secrets, API tokens, or other sensitive deployment data, undermining the confidentiality of CI/CD pipelines.
Affected Products
- JetBrains TeamCity versions prior to 2026.1
- Self-hosted TeamCity Server installations
- TeamCity build configurations storing sensitive parameters
Discovery Timeline
- 2026-05-29 - CVE-2026-49374 published to NVD
- 2026-06-02 - Last updated in NVD database
Technical Details for CVE-2026-49374
Vulnerability Analysis
The vulnerability resides in TeamCity's permission enforcement logic for build configuration parameters. TeamCity allows administrators to define parameters at the project and build configuration level, including password-type parameters intended to remain hidden from users without elevated rights. Improper permission checks fail to verify whether the requesting user holds the necessary role before returning parameter values. As a result, users with limited access to a project can enumerate parameters they should not see. The issue maps to CWE-862: Missing Authorization.
Root Cause
The root cause is missing authorization at the application layer. TeamCity's API or web endpoints that expose parameter metadata do not consistently validate the caller's project-level role before returning data. The system trusts authentication alone and skips the secondary authorization step required to gate access to sensitive parameter values.
Attack Vector
Exploitation requires network access to the TeamCity server and a valid low-privilege account. An attacker queries the affected endpoints to retrieve build configuration parameters belonging to projects where they should have no visibility. The exposed parameters can include database connection strings, deployment credentials, signing keys, or third-party API tokens. These secrets enable lateral movement into downstream production systems and CI/CD targets.
// No verified public exploit code is available for CVE-2026-49374.
// Refer to the JetBrains advisory for technical details:
// https://www.jetbrains.com/privacy-security/issues-fixed/
Detection Methods for CVE-2026-49374
Indicators of Compromise
- Unexpected REST API calls to TeamCity parameter endpoints from low-privilege user accounts
- Access patterns where a single user account enumerates parameters across multiple unrelated projects
- Authentication logs showing parameter retrieval requests outside normal build agent activity windows
Detection Strategies
- Audit TeamCity server access logs for parameter-related API endpoints accessed by accounts lacking project-administrator roles
- Correlate user role assignments against parameter read operations to surface authorization mismatches
- Monitor outbound use of secrets stored in TeamCity parameters for signs of credential reuse from unexpected hosts
Monitoring Recommendations
- Enable detailed audit logging in TeamCity and forward events to a centralized SIEM
- Alert on anomalous read volume against /app/rest/buildTypes/*/parameters and related endpoints
- Rotate and monitor any credentials previously stored as TeamCity parameters following an upgrade
How to Mitigate CVE-2026-49374
Immediate Actions Required
- Upgrade TeamCity to version 2026.1 or later as published on the JetBrains Security Issues Fixed page
- Inventory all build configuration parameters and rotate any secrets that may have been exposed to lower-privileged users
- Review project-level role assignments and remove unnecessary user access from sensitive projects
Patch Information
JetBrains fixed CVE-2026-49374 in TeamCity 2026.1. Administrators of self-hosted instances should plan a maintenance window, back up the TeamCity Data Directory and database, then apply the upgrade following the standard JetBrains upgrade procedure. TeamCity Cloud instances are updated by JetBrains.
Workarounds
- Restrict network access to the TeamCity server to trusted administrative networks until patching is complete
- Move highly sensitive secrets out of TeamCity parameters into an external secrets manager referenced at build time
- Reduce the number of users with any role on projects containing sensitive parameters until upgrade is verified
# Verify TeamCity server version after upgrade
curl -u <admin>:<token> \
https://<teamcity-host>/app/rest/server | grep -i version
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
