CVE-2026-49381 Overview
CVE-2026-49381 is a stored Cross-Site Scripting (XSS) vulnerability [CWE-79] affecting JetBrains TeamCity versions before 2026.1. The flaw resides in the SAML (Security Assertion Markup Language) login page, where attacker-controlled content can be persisted and rendered in the browsers of subsequent users. Exploitation requires high privileges and user interaction, but the resulting script execution can cross security boundaries due to the changed scope component in the CVSS vector. JetBrains addressed the issue in TeamCity 2026.1.
Critical Impact
An authenticated administrator can inject persistent JavaScript into the SAML login page, leading to session compromise or credential theft when other users interact with the page.
Affected Products
- JetBrains TeamCity versions prior to 2026.1
- TeamCity instances with SAML authentication configured
- On-premises TeamCity build server deployments
Discovery Timeline
- 2026-05-29 - CVE-2026-49381 published to NVD
- 2026-06-02 - Last updated in NVD database
Technical Details for CVE-2026-49381
Vulnerability Analysis
The vulnerability is a stored XSS issue in the SAML login page of JetBrains TeamCity. Stored XSS occurs when an application accepts untrusted input, persists it in server-side storage, and later renders it in HTML responses without adequate output encoding. In this case, the SAML login page rendering path fails to neutralize attacker-supplied script content before placing it into the response.
The SAML login page is reached by unauthenticated users attempting to sign in through a federated identity provider. Any persistent payload injected by a privileged user therefore executes in the browser context of other administrators or end users who visit that page. The scope-changed nature of the issue indicates that the script can affect resources beyond the vulnerable component itself, including SSO session material.
Root Cause
The root cause is improper neutralization of input during web page generation [CWE-79]. Configuration values rendered into the SAML login template are not encoded for the HTML context in which they appear. A privileged user with access to SAML settings can therefore embed <script> tags or DOM event handlers that the browser parses as executable JavaScript.
Attack Vector
Exploitation requires an authenticated user with administrative privileges over SAML configuration. The attacker stores a malicious payload in a configurable SAML field. When another user loads the SAML login page, the payload renders inline and executes in that user's browser. Because the SAML login page sits at the SSO boundary, successful exploitation can be used to capture authentication tokens, manipulate the login flow, or pivot to other federated services.
No verified public exploit code is available for this vulnerability. Refer to the JetBrains Security Issues Fixed advisory for vendor details.
Detection Methods for CVE-2026-49381
Indicators of Compromise
- Unexpected <script>, onerror, or onload content rendered within the TeamCity SAML login HTML response
- Audit log entries showing modifications to SAML authentication settings by non-routine accounts
- Outbound browser requests from the SAML login page to attacker-controlled domains
Detection Strategies
- Inspect TeamCity SAML configuration values for HTML or JavaScript characters such as <, >, and javascript:
- Review TeamCity audit logs for changes to SAML identity provider settings preceding user reports of unusual login behavior
- Compare currently deployed TeamCity version against the fixed release 2026.1 using /app/rest/server endpoint output
Monitoring Recommendations
- Forward TeamCity access and audit logs to a centralized SIEM and alert on SAML configuration changes
- Monitor web proxy or network telemetry for unexpected outbound requests originating from clients loading the TeamCity login page
- Track administrator account activity for off-hours modifications to authentication settings
How to Mitigate CVE-2026-49381
Immediate Actions Required
- Upgrade JetBrains TeamCity to version 2026.1 or later, which contains the official fix
- Review SAML configuration fields and remove any unexpected HTML or script content
- Rotate administrator credentials and SAML signing material if tampering is suspected
Patch Information
JetBrains fixed the stored XSS in TeamCity 2026.1. Upgrade details and the full list of resolved issues are documented in the JetBrains Security Issues Fixed bulletin. Apply the upgrade through the standard TeamCity update channel and validate that the running server version reports 2026.1 or newer.
Workarounds
- Restrict administrative access to SAML configuration to a minimal set of trusted accounts
- Enforce multi-factor authentication for all TeamCity administrators to reduce the risk of account compromise
- Temporarily disable SAML login and use local authentication until the patch is applied if upgrading is not immediately possible
# Verify the running TeamCity server version
curl -s -u <admin>:<token> https://teamcity.example.com/app/rest/server | grep version
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
