CVE-2026-49380 Overview
CVE-2026-49380 is an open redirect vulnerability in the Security Assertion Markup Language (SAML) plugin of JetBrains TeamCity. The flaw affects all TeamCity releases prior to version 2026.1. An attacker can craft a malicious URL that, when followed by an authenticated user, redirects the browser to an attacker-controlled destination. This behavior maps to CWE-601: URL Redirection to Untrusted Site. The issue facilitates phishing and credential theft against TeamCity users by abusing the trust users place in legitimate TeamCity URLs.
Critical Impact
Attackers can leverage the SAML plugin redirect to send TeamCity users to attacker-controlled domains, enabling phishing and credential harvesting against continuous integration users.
Affected Products
- JetBrains TeamCity versions prior to 2026.1
- JetBrains TeamCity SAML plugin (bundled component)
- TeamCity deployments using SAML-based single sign-on
Discovery Timeline
- 2026-05-29 - CVE-2026-49380 published to the National Vulnerability Database
- 2026-06-02 - Last updated in NVD database
Technical Details for CVE-2026-49380
Vulnerability Analysis
The vulnerability resides in the SAML authentication plugin shipped with JetBrains TeamCity. The plugin accepts a redirect parameter during the SAML authentication flow and fails to validate that the destination URL points to a trusted host. An attacker can construct a TeamCity SSO URL containing an external destination. When a victim clicks the link and completes authentication, the SAML plugin honors the attacker-supplied target and issues an HTTP redirect to the external site.
The vulnerability requires user interaction, as indicated by the CVSS vector component UI:R. The scope is changed because the redirect crosses the trust boundary between the TeamCity authentication context and the destination domain. Confidentiality and integrity impacts are limited to information disclosed through the redirect itself, such as referrer headers and session tokens carried in URL fragments.
Root Cause
The root cause is missing or insufficient validation of the user-supplied redirect target in the SAML plugin's post-authentication handler. The plugin does not enforce an allow-list of trusted hostnames or restrict redirects to relative paths within the TeamCity application. This implementation gap allows arbitrary absolute URLs to be passed through the redirect logic.
Attack Vector
Exploitation proceeds in three stages. First, the attacker crafts a TeamCity SAML login URL that embeds an external domain in the redirect parameter. Second, the attacker delivers the link to a TeamCity user through email, chat, or a malicious page. Third, after the victim authenticates, TeamCity redirects the browser to the attacker's site, which can mimic the TeamCity login page to harvest credentials or deliver malware.
No public proof-of-concept code is available for CVE-2026-49380. The EPSS score is 0.002%, reflecting low predicted exploitation probability. Refer to the JetBrains Security Issues Fixed page for vendor details.
Detection Methods for CVE-2026-49380
Indicators of Compromise
- TeamCity access logs containing SAML authentication requests with redirect parameters pointing to external domains
- HTTP 302 responses from /saml/ endpoints with Location headers referencing untrusted hosts
- User reports of being redirected from TeamCity to unfamiliar login pages immediately after SSO
- Unusual referrer entries originating from the TeamCity host in external web analytics
Detection Strategies
- Parse TeamCity web server logs for SAML callback URLs containing RelayState or redirect parameters that resolve to domains outside the organization
- Compare the Host header of TeamCity requests against the destination in subsequent Location response headers to flag cross-domain redirects
- Alert on outbound HTTP traffic from internal users that follows a TeamCity authentication event but resolves to newly registered or low-reputation domains
Monitoring Recommendations
- Enable verbose request logging on the TeamCity reverse proxy and forward logs to a central SIEM for correlation
- Add detection rules for HTTP redirect responses from TeamCity SAML endpoints that target hosts not on an internal allow-list
- Monitor email and chat gateways for inbound URLs referencing the TeamCity hostname combined with suspicious query parameters
How to Mitigate CVE-2026-49380
Immediate Actions Required
- Upgrade JetBrains TeamCity to version 2026.1 or later, which contains the fix for the SAML plugin redirect handling
- Audit TeamCity SAML plugin configuration and confirm that only the intended identity provider is registered
- Notify TeamCity users to avoid clicking SSO links received from external or unverified sources until the patch is applied
Patch Information
JetBrains addressed CVE-2026-49380 in TeamCity 2026.1. The fix introduces validation of redirect destinations in the SAML plugin. Administrators should review the JetBrains Security Issues Fixed advisory and follow the standard TeamCity upgrade procedure. Verify the upgrade by checking the server version in the TeamCity administration interface after restart.
Workarounds
- Place TeamCity behind a reverse proxy that strips or validates redirect parameters on SAML callback URLs
- Restrict TeamCity SSO access to authenticated users on trusted networks until the upgrade is completed
- Temporarily disable the SAML plugin and revert to a different authentication module if upgrading immediately is not feasible
# Example nginx snippet to block external redirects on TeamCity SAML endpoints
location ~ ^/saml/ {
if ($arg_RelayState ~* "^https?://(?!teamcity\.example\.com)") {
return 400;
}
proxy_pass http://teamcity_backend;
}
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
