PatchSiren

PatchSiren cyber security CVE debrief

CVE-2026-49372 JetBrains CVE debrief

JetBrains TeamCity versions prior to 2026.1 and 2025.11.5 contain an unauthenticated Server-Side Request Forgery (SSRF) vulnerability exploitable through build status functionality. The flaw allows remote attackers to induce the server to make requests to arbitrary destinations without authentication. With a CVSS 3.1 score of 7.5 (HIGH), this vulnerability presents significant risk as it requires no privileges or user interaction and can be exploited over the network. The vulnerability is classified under CWE-918 (Server-Side Request Forgery). JetBrains has addressed this issue in the specified patched versions. Organizations running affected TeamCity deployments should prioritize upgrading to version 2026.1 or 2025.11.5 or later to remediate this exposure.

Vendor
JetBrains
Product
TeamCity
CVSS
HIGH 7.5
CISA KEV
Not listed in stored evidence
Original CVE published
2026-05-29
Original CVE updated
2026-05-29
Advisory published
2026-05-29
Advisory updated
2026-05-29

Who should care

Organizations operating JetBrains TeamCity CI/CD infrastructure, particularly those with internet-exposed instances or limited network segmentation. Security teams responsible for supply chain and build environment security. DevOps and platform engineering teams managing TeamCity deployments.

Technical summary

Server-Side Request Forgery (CWE-918) in JetBrains TeamCity build status functionality allows unauthenticated remote attackers to coerce server-side requests to arbitrary destinations. Affects versions before 2026.1 and 2025.11.5. Network-accessible with low attack complexity, no privileges or user interaction required. Confidentiality impact rated HIGH per CVSS 3.1 vector.

Defensive priority

HIGH

Recommended defensive actions

  • Upgrade JetBrains TeamCity to version 2026.1 or 2025.11.5 or later to address the unauthenticated SSRF vulnerability
  • Review and restrict network egress from TeamCity servers to limit potential SSRF exploitation impact
  • Audit build status configurations and webhook integrations for unauthorized or suspicious external endpoints
  • Monitor access logs for anomalous outbound requests originating from TeamCity server instances
  • Verify patch deployment across all TeamCity installations, including development and staging environments

Evidence notes

Vulnerability confirmed through official JetBrains security advisory and NVD entry. CVE published 2026-05-29 with status 'Undergoing Analysis'. CVSS vector CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N indicates network-accessible, low-complexity attack with no privileges required. CWE-918 classification confirms SSRF nature.

Official resources

2026-05-29