CVE-2026-49379 Overview
CVE-2026-49379 is a credential exposure vulnerability affecting JetBrains TeamCity versions before 2026.1. The flaw allows credentials to be exposed through thread names within the TeamCity server process. An authenticated attacker with low privileges over the network can retrieve sensitive credential material that should remain protected. The issue is classified under [CWE-522: Insufficiently Protected Credentials].
Critical Impact
Authenticated low-privilege users can access credentials exposed in thread names, potentially leading to lateral movement and compromise of integrated build systems, source repositories, and deployment targets.
Affected Products
- JetBrains TeamCity versions prior to 2026.1
- TeamCity self-hosted On-Premises installations
- TeamCity build agents communicating with vulnerable server versions
Discovery Timeline
- 2026-05-29 - CVE-2026-49379 published to NVD
- 2026-06-02 - Last updated in NVD database
Technical Details for CVE-2026-49379
Vulnerability Analysis
The vulnerability stems from improper handling of credential data within the Java Virtual Machine (JVM) runtime context of TeamCity. Thread names in Java are observable runtime metadata, accessible through standard management interfaces, diagnostic dumps, and logs. When credentials are embedded in thread names, they become available to any caller that can enumerate threads or read diagnostic output.
In TeamCity, build processes, agent communications, and integration tasks each run on dedicated worker threads. The naming convention applied to these threads inadvertently included secret values such as authentication tokens or passwords passed through to subsystems. Once recorded in thread metadata, these values can surface in thread dumps, JMX queries, profiler output, and administrative diagnostic exports.
The attack requires authenticated access with low privileges, consistent with developer or build engineer roles common in continuous integration environments. The confidentiality impact is high while integrity and availability are not affected.
Root Cause
The root cause is the inclusion of sensitive credential material in Thread.setName() calls or equivalent naming logic during the construction of worker threads handling authenticated operations. Thread names are not protected by access controls equivalent to those guarding the credential store, creating a side channel for disclosure.
Attack Vector
An authenticated user accesses TeamCity diagnostic features, downloads thread dumps, or queries JMX endpoints exposed to the application. The attacker parses the resulting output to extract credential strings embedded in thread names. Refer to the JetBrains Security Issues Fixed page for vendor confirmation. No verified public proof-of-concept exists at this time.
Detection Methods for CVE-2026-49379
Indicators of Compromise
- Unexpected access to TeamCity diagnostic endpoints such as /admin/diagnostic.html or thread dump download URLs by non-administrative accounts
- Anomalous JMX or management interface queries originating from internal users
- Use of harvested service account tokens against version control systems or artifact repositories shortly after TeamCity access
Detection Strategies
- Audit TeamCity server logs for downloads of thread dumps, heap dumps, and diagnostic archives by accounts that do not perform administrative duties
- Correlate authentication events with subsequent use of service credentials in integrated systems to identify credential replay
- Monitor for enumeration of TeamCity REST endpoints that expose build configurations containing referenced credentials
Monitoring Recommendations
- Enable verbose audit logging on the TeamCity server and forward events to a centralized logging platform
- Track outbound API calls from TeamCity using service tokens and alert on usage from unexpected source addresses
- Review thread dump generation activity at least weekly until upgrade is completed
How to Mitigate CVE-2026-49379
Immediate Actions Required
- Upgrade JetBrains TeamCity to version 2026.1 or later, which addresses the credential exposure in thread names
- Rotate all credentials, tokens, and service account passwords configured within TeamCity that may have been logged in thread metadata
- Restrict access to TeamCity diagnostic and administrative endpoints to a minimum set of administrator accounts
Patch Information
JetBrains released a fix in TeamCity 2026.1. Administrators should consult the JetBrains Security Issues Fixed advisory and apply the upgrade following the standard TeamCity upgrade procedure. Verify backup integrity before applying the upgrade to a production server.
Workarounds
- Reduce the number of users granted any TeamCity role until the upgrade is applied, since exploitation requires authenticated access
- Disable or restrict access to diagnostic features and JMX endpoints at the network layer using firewall rules or reverse proxy controls
- Rotate integration credentials on a short cadence and prefer short-lived tokens over long-lived passwords where supported
# Configuration example: restrict access to TeamCity diagnostic endpoints via reverse proxy
# Example nginx snippet placed in the TeamCity server block
location ~* ^/admin/(diagnostic|threadDump|memoryDump) {
allow 10.0.0.0/24; # administrator subnet
deny all;
proxy_pass http://teamcity_backend;
}
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
