CVE-2026-49375 Overview
CVE-2026-49375 is a reflected cross-site scripting (XSS) vulnerability in JetBrains TeamCity, a widely deployed continuous integration and continuous delivery (CI/CD) server. The flaw affects the repository download page and allows attackers to inject malicious script content that executes in the context of a victim's browser session. The issue is fixed in TeamCity 2026.1 and 2025.11.5. Successful exploitation requires user interaction, typically through a crafted link delivered via phishing or social engineering. Because TeamCity manages build pipelines, source code repositories, and deployment credentials, session compromise can expose sensitive CI/CD assets.
Critical Impact
Attackers can execute arbitrary JavaScript in an authenticated TeamCity user's browser, potentially hijacking sessions and accessing build artifacts, source code, and pipeline credentials.
Affected Products
- JetBrains TeamCity versions prior to 2026.1
- JetBrains TeamCity versions prior to 2025.11.5
- All on-premises TeamCity installations exposing the repository download page
Discovery Timeline
- 2026-05-29 - CVE-2026-49375 published to NVD
- 2026-06-02 - Last updated in NVD database
Technical Details for CVE-2026-49375
Vulnerability Analysis
The vulnerability is a reflected cross-site scripting issue [CWE-79] in the TeamCity repository download page. The application reflects attacker-controlled input from the HTTP request back into the rendered HTML response without sufficient output encoding or input validation. When a victim follows a crafted URL, the injected payload executes in the victim's browser within the trust boundary of the TeamCity origin.
Reflected XSS in a CI/CD platform carries elevated impact compared to a typical web application. TeamCity holds VCS credentials, deployment tokens, agent keys, and artifact storage credentials. An attacker who steals a session cookie or issues authenticated requests through the XSS payload can pivot into the software supply chain. Scope is changed (S:C) because the injected script can affect resources beyond the vulnerable component, including connected build agents and integrations.
Root Cause
The root cause is improper neutralization of input during web page generation on the repository download page. User-supplied request parameters are echoed into the response without HTML-context encoding, allowing <script> tags or event handlers to be parsed and executed by the browser.
Attack Vector
Exploitation requires an attacker to craft a malicious URL pointing to the vulnerable repository download endpoint and deliver it to an authenticated TeamCity user. When the user clicks the link, the payload executes with the privileges of that user's session. No authentication is required from the attacker, but user interaction is mandatory. See the JetBrains Security Issues Fixed advisory for vendor disclosure details.
Detection Methods for CVE-2026-49375
Indicators of Compromise
- HTTP requests to TeamCity repository download URLs containing encoded <script>, javascript:, or onerror= payloads in query parameters
- Outbound browser requests from TeamCity users to unfamiliar external domains immediately after clicking links to the TeamCity host
- Unexpected session activity from TeamCity user accounts, such as new personal access tokens or modified VCS roots
- Referer headers in TeamCity access logs originating from external email or chat platforms tied to repository download endpoints
Detection Strategies
- Inspect TeamCity HTTP access logs for repository download requests containing HTML tags, JavaScript keywords, or URL-encoded angle brackets (%3C, %3E) in parameters
- Deploy web application firewall (WAF) rules that flag reflected XSS signatures targeting the TeamCity URL path namespace
- Monitor for anomalous administrative actions performed shortly after a user loads a repository download page
Monitoring Recommendations
- Centralize TeamCity application and proxy logs and alert on parameter values containing script-related tokens
- Track creation of new authentication tokens, build configurations, and VCS roots for correlation with suspicious browser activity
- Enable browser-side Content Security Policy (CSP) violation reporting to surface blocked inline script attempts
How to Mitigate CVE-2026-49375
Immediate Actions Required
- Upgrade TeamCity to version 2026.1 or 2025.11.5 as soon as practical
- Audit recently created access tokens, VCS connections, and user sessions for signs of misuse
- Notify TeamCity users to avoid clicking unsolicited links referencing internal TeamCity URLs
- Restrict TeamCity web UI exposure to trusted networks or behind a VPN where feasible
Patch Information
JetBrains has resolved the issue in TeamCity 2026.1 and 2025.11.5. Administrators should review the JetBrains Security Issues Fixed page and apply the upgrade through standard TeamCity maintenance procedures. Verify the running version under the server administration page after the upgrade completes.
Workarounds
- Place TeamCity behind a reverse proxy or WAF that strips or blocks script content in query parameters targeting the repository download path
- Enforce a strict Content Security Policy that disallows inline scripts and restricts script sources to the TeamCity origin
- Require short session lifetimes and re-authentication for sensitive administrative actions to limit session theft impact
- Educate users on phishing-style links and require link verification for TeamCity URLs received outside trusted channels
# Example reverse proxy filter (nginx) to block obvious XSS payloads on the repository download path
location ~* /repository/download {
if ($args ~* "(<|%3C)\s*script|onerror=|javascript:") {
return 403;
}
proxy_pass http://teamcity_backend;
}
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
