PatchSiren cyber security CVE debrief
CVE-2026-49373 JetBrains CVE debrief
JetBrains TeamCity before version 2026.1 contains a remote code execution vulnerability exploitable through Perforce connection settings. The vulnerability, classified as CWE-88 (Improper Neutralization of Argument Delimiters in a Command), allows an attacker with low privileges to execute arbitrary code on the affected system. The CVSS 3.1 vector (AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:L/A:N) indicates network attack vector, low attack complexity, low privileges required, no user interaction, unchanged scope, high confidentiality impact, low integrity impact, and no availability impact. The vulnerability was published to the CVE database on May 29, 2026, and remains under analysis by NVD. JetBrains has addressed this issue in TeamCity 2026.1.
- Vendor
- JetBrains
- Product
- TeamCity
- CVSS
- HIGH 7.1
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2026-05-29
- Original CVE updated
- 2026-05-29
- Advisory published
- 2026-05-29
- Advisory updated
- 2026-05-29
Who should care
Organizations using JetBrains TeamCity for continuous integration and deployment, particularly those with Perforce (Helix Core) version control integrations. Security teams responsible for CI/CD pipeline security, build infrastructure administrators, and DevOps engineers managing TeamCity deployments should prioritize this patch.
Technical summary
The vulnerability exists in the Perforce version control integration within JetBrains TeamCity. Insufficient input validation on Perforce connection parameters allows argument injection, enabling authenticated attackers with low privileges to execute arbitrary commands on the TeamCity server. The attack requires network access to the TeamCity instance but no user interaction. Successful exploitation grants high confidentiality access and limited integrity modification capabilities. The fix in TeamCity 2026.1 properly neutralizes argument delimiters in Perforce connection settings.
Defensive priority
HIGH
Recommended defensive actions
- Upgrade JetBrains TeamCity to version 2026.1 or later to remediate this vulnerability
- Review Perforce connection configurations for unauthorized modifications if running affected versions
- Restrict network access to TeamCity administrative interfaces to trusted sources
- Monitor TeamCity logs for suspicious Perforce-related activity prior to upgrade
- Apply principle of least privilege to TeamCity user accounts
- Review JetBrains security advisory for additional hardening recommendations
Evidence notes
CVE description confirms RCE via Perforce connection settings in TeamCity versions prior to 2026.1. CVSS 3.1 score of 7.1 (HIGH) with network attack vector and low privileges required. CWE-88 (argument injection/command injection) identified as root cause. JetBrains security advisory page referenced as primary source.
Official resources
-
CVE-2026-49373 CVE record
CVE.org
-
CVE-2026-49373 NVD detail
NVD
-
Source item URL
nvd_modified
- Source reference
2026-05-29T19:16:27.163Z