CVE-2026-49378 Overview
CVE-2026-49378 affects JetBrains TeamCity build management server versions prior to 2026.1. The vulnerability exposes credentials-type parameters through the parameter autocompletion feature. Authenticated users with limited privileges can view sensitive values that should remain protected. The flaw is categorized under [CWE-862] Missing Authorization, indicating that the autocompletion endpoint does not properly verify whether a user is authorized to view credential parameter values. The issue requires network access and low-privilege authentication, but no user interaction is needed for exploitation.
Critical Impact
Authenticated TeamCity users can retrieve credentials parameters intended to be hidden, leading to potential exposure of secrets used in build configurations and pipelines.
Affected Products
- JetBrains TeamCity versions prior to 2026.1
- TeamCity On-Premises installations using credential parameters in build configurations
- TeamCity projects relying on parameter-based secret management
Discovery Timeline
- 2026-05-29 - CVE-2026-49378 published to NVD
- 2026-06-02 - Last updated in NVD database
Technical Details for CVE-2026-49378
Vulnerability Analysis
JetBrains TeamCity supports parameter typing, including a password parameter type intended to mask credential values in the user interface and prevent unauthorized disclosure. The autocompletion feature, which suggests parameter values as users type, did not consistently enforce the same authorization checks applied elsewhere when rendering credential parameters. As a result, an authenticated user issuing requests to the autocompletion endpoint could receive credential values without holding the privilege required to view them in the standard configuration screens.
The weakness aligns with [CWE-862] Missing Authorization. The autocompletion handler returned data without validating that the requester held the appropriate role or project-level permission for password-typed parameters. The impact is limited to confidentiality of parameter values and does not allow modification or service disruption.
Root Cause
The root cause is an authorization gap in the parameter autocompletion handler. TeamCity's credential parameter type relies on UI-layer masking and permission-gated read paths, but the autocompletion path bypassed those checks. Any authenticated user able to reach the autocompletion endpoint could retrieve values that should have been restricted to project administrators or other privileged roles.
Attack Vector
An attacker requires valid TeamCity credentials with at least basic project access. The attacker then queries the parameter autocompletion endpoint over the network, requesting completion suggestions tied to credential parameters. The endpoint returns the underlying values, exposing secrets such as API tokens, deployment keys, or registry credentials stored as TeamCity parameters. No social engineering or user interaction is required.
No public proof-of-concept code is available for CVE-2026-49378. Refer to the JetBrains Security Issues Fixed advisory for vendor-supplied technical details.
Detection Methods for CVE-2026-49378
Indicators of Compromise
- Unusual volumes of requests from authenticated sessions to TeamCity parameter autocompletion endpoints
- Access to credential parameters by user accounts that lack project administrator roles
- Audit log entries showing parameter reads correlated with low-privilege user sessions
Detection Strategies
- Review TeamCity access logs for repeated calls to autocompletion URLs containing parameter names tied to credentials
- Correlate user role assignments against parameter-read events to identify privilege mismatches
- Compare baseline autocompletion request rates per user against current activity to flag anomalies
Monitoring Recommendations
- Forward TeamCity application logs and audit events to a centralized logging platform for retention and search
- Alert on access to projects containing credential parameters by accounts outside expected administrative groups
- Rotate and monitor usage of any secrets stored as TeamCity parameters in versions prior to 2026.1
How to Mitigate CVE-2026-49378
Immediate Actions Required
- Upgrade JetBrains TeamCity to version 2026.1 or later, where the authorization check is enforced on the autocompletion endpoint
- Rotate all credentials, API tokens, and secrets previously stored as TeamCity password parameters on affected versions
- Audit user role assignments and remove unnecessary access to projects containing sensitive parameters
Patch Information
JetBrains addressed CVE-2026-49378 in TeamCity 2026.1. The fix enforces consistent authorization checks on the parameter autocompletion handler so that credential-type parameters are only returned to users with the appropriate project permissions. Patch details are available in the JetBrains Security Issues Fixed advisory.
Workarounds
- Restrict TeamCity user accounts to the minimum project access required, reducing the population that can reach the autocompletion endpoint
- Move highly sensitive secrets out of TeamCity password parameters and into an external secrets manager referenced at build time
- Limit network reachability of the TeamCity server to trusted networks until the upgrade to 2026.1 is completed
# Verify the running TeamCity server version
curl -s -u <user>:<token> https://teamcity.example.com/app/rest/server | grep version
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
