CVE-2026-49377 Overview
CVE-2026-49377 is an information disclosure vulnerability affecting JetBrains TeamCity continuous integration server versions prior to 2025.11.2. The flaw exposes sensitive data through default agent parameters, allowing authenticated users with limited privileges to access information they should not see. The vulnerability is classified under [CWE-526] Cleartext Storage of Sensitive Information in an Environment Variable.
JetBrains addressed the issue in TeamCity 2025.11.2. The vulnerability requires network access and low-privilege authentication, with no user interaction needed for exploitation.
Critical Impact
Authenticated attackers with low privileges can retrieve sensitive build agent parameters over the network, potentially exposing credentials, tokens, or internal configuration data used by CI/CD pipelines.
Affected Products
- JetBrains TeamCity versions before 2025.11.2
- TeamCity build agents using default parameter configurations
- CI/CD pipelines integrated with affected TeamCity servers
Discovery Timeline
- 2026-05-29 - CVE-2026-49377 published to the National Vulnerability Database
- 2026-06-02 - Last updated in NVD database
Technical Details for CVE-2026-49377
Vulnerability Analysis
The vulnerability stems from how TeamCity handles default agent parameters. Build agents in TeamCity automatically populate a set of parameters describing their runtime environment, including system properties, environment variables, and configuration values. These parameters are accessible to users who interact with the build configuration interface.
In affected versions, TeamCity exposes parameters that contain sensitive data without applying appropriate access restrictions. Authenticated users with low privileges can enumerate or read these default agent parameters, gaining visibility into information intended for administrators or trusted build configurations.
The scope of the disclosure is limited to confidentiality. The vulnerability does not permit modification of data or denial of service, but the leaked parameters may contain values that enable follow-on attacks against the build environment or downstream systems.
Root Cause
The root cause is improper access control over default parameters surfaced by TeamCity build agents. The application treats certain agent parameters as non-sensitive by default, leading to disclosure when they contain values such as paths, identifiers, or environment-derived data that should be restricted.
This aligns with [CWE-526], where sensitive information stored in environment variables or default configuration fields becomes accessible to actors who should not view it.
Attack Vector
An attacker requires a valid TeamCity account with low-privilege access to the server. After authenticating, the attacker queries build agent parameter views or related API endpoints that return the default parameter set. Sensitive values returned in this response are then collected for reconnaissance or lateral movement.
The vulnerability does not require user interaction or elevated privileges and is exploitable over the network against any reachable TeamCity instance. No public proof-of-concept is currently available, and the vulnerability is not listed in the CISA Known Exploited Vulnerabilities catalog.
For technical details, refer to the JetBrains Security Issues Fixed advisory.
Detection Methods for CVE-2026-49377
Indicators of Compromise
- Unusual authenticated requests to TeamCity agent parameter endpoints from low-privilege user accounts
- Repeated enumeration of build agent details by accounts that do not own or maintain those agents
- Access patterns to TeamCity REST API endpoints returning agent configuration data outside normal CI/CD workflows
Detection Strategies
- Review TeamCity audit logs for parameter and agent enumeration activity tied to non-administrative accounts
- Correlate API access logs with user role assignments to identify privilege boundary violations
- Monitor outbound use of credentials or tokens that appear in agent parameters for signs of misuse
Monitoring Recommendations
- Enable verbose audit logging on the TeamCity server and forward logs to a centralized analytics platform
- Alert on bulk reads of agent or project parameters by individual user accounts within short time windows
- Track changes in TeamCity user roles and permissions to detect unauthorized privilege adjustments
How to Mitigate CVE-2026-49377
Immediate Actions Required
- Upgrade TeamCity to version 2025.11.2 or later as published in the JetBrains security advisory
- Audit existing default agent parameters and remove any sensitive values stored in plaintext
- Rotate credentials, tokens, and API keys that may have been exposed through agent parameters
- Review TeamCity user accounts and revoke unnecessary low-privilege access to build configurations
Patch Information
JetBrains fixed CVE-2026-49377 in TeamCity 2025.11.2. Administrators should consult the JetBrains Security Issues Fixed page for upgrade instructions and the complete list of remediated issues.
Workarounds
- Remove sensitive data from default agent parameters and store secrets in TeamCity's protected parameter types (password fields) instead
- Restrict TeamCity access to trusted networks using firewall rules or VPN-only access until the patch is applied
- Apply the principle of least privilege by limiting which users can view build agents and projects
# Verify TeamCity server version after upgrade
curl -u <admin>:<token> \
https://teamcity.example.com/app/rest/server | grep version
# Confirm running version is 2025.11.2 or later
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
