CVE-2026-49376 Overview
CVE-2026-49376 affects JetBrains TeamCity versions before 2026.1. The vulnerability stems from insufficient username validation in the SAML (Security Assertion Markup Language) plugin. The flaw is categorized as an authorization issue under [CWE-863]. Attackers can exploit this weakness over the network without authentication or user interaction. Successful exploitation impacts both confidentiality and integrity of the affected TeamCity instance. JetBrains addressed the issue in TeamCity 2026.1.
Critical Impact
Insufficient SAML username validation may allow an attacker to impersonate or assume the identity of another TeamCity user, leading to unauthorized access to projects, build configurations, and source code.
Affected Products
- JetBrains TeamCity versions prior to 2026.1
- TeamCity deployments using the SAML authentication plugin
- Self-hosted TeamCity servers exposed to networks accepting SAML assertions
Discovery Timeline
- 2026-05-29 - CVE-2026-49376 published to NVD
- 2026-06-02 - Last updated in NVD database
Technical Details for CVE-2026-49376
Vulnerability Analysis
The vulnerability resides in the SAML plugin shipped with JetBrains TeamCity. The plugin processes SAML assertions to authenticate users against external identity providers (IdPs). Insufficient validation of the username field in the SAML response allows malformed or ambiguous username values to pass through to TeamCity's user resolution logic. This authorization weakness, classified under [CWE-863] (Incorrect Authorization), can result in a SAML-authenticated session being bound to the wrong TeamCity account. An attacker controlling or influencing a SAML assertion may gain access to resources belonging to another user.
Root Cause
The root cause is improper validation of the username attribute extracted from a SAML assertion before mapping it to an internal TeamCity user identity. TeamCity does not sufficiently constrain the structure, casing, or character set of the username, which permits identity collisions or substitution during the authentication decision.
Attack Vector
Exploitation occurs over the network against TeamCity servers that have the SAML plugin enabled. The attacker submits or influences a crafted SAML assertion whose username field exploits the validation gap. No prior authentication to TeamCity is required, and no user interaction is needed. The result is unauthorized access at the privilege level of the impersonated account.
No public proof-of-concept code has been released for CVE-2026-49376. See the JetBrains Security Issue Fixes advisory for vendor details.
Detection Methods for CVE-2026-49376
Indicators of Compromise
- SAML login events in TeamCity audit logs where the resolved internal username differs from the asserted NameID or username attribute.
- Authentication events for the same SAML identity originating from unexpected IP addresses or IdP entity IDs.
- Unexpected access to build configurations, VCS roots, or administrative areas immediately following a SAML login.
Detection Strategies
- Review TeamCity authentication logs for anomalous SAML username values, including duplicate, case-variant, or whitespace-padded usernames.
- Correlate SAML assertions captured at the IdP with sessions established on the TeamCity server to detect identity mismatches.
- Alert on first-time access patterns where a user account suddenly interacts with projects outside their normal scope after a SAML login.
Monitoring Recommendations
- Forward TeamCity server logs and IdP authentication logs to a centralized analytics platform for cross-source correlation.
- Track changes to user roles and project permissions performed by accounts shortly after SAML authentication.
- Monitor the TeamCity SAML plugin configuration for unauthorized changes to attribute mappings or IdP metadata.
How to Mitigate CVE-2026-49376
Immediate Actions Required
- Upgrade JetBrains TeamCity to version 2026.1 or later, which contains the fix for CVE-2026-49376.
- Audit existing TeamCity user accounts for unexpected username variants or duplicate identities that may indicate prior exploitation.
- Rotate sensitive build secrets, API tokens, and VCS credentials accessible from TeamCity if compromise is suspected.
Patch Information
JetBrains released the fix in TeamCity 2026.1. Administrators should consult the JetBrains Security Issue Fixes page for the official advisory and download links. Apply the upgrade following standard TeamCity maintenance procedures, including a server backup prior to the update.
Workarounds
- Disable the SAML plugin temporarily and revert to an alternative authentication module until the upgrade can be applied.
- Restrict network access to the TeamCity server so that only trusted IdP endpoints can submit SAML assertions.
- Enforce strict username normalization rules at the IdP and ensure SAML attribute mappings reject ambiguous or duplicate identifiers.
# Verify the running TeamCity version after upgrade
curl -s -u <admin>:<token> https://teamcity.example.com/app/rest/server | \
grep -oE 'version="[^"]+"'
# Expected output should reflect 2026.1 or later
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
