PatchSiren cyber security CVE debrief
CVE-2026-49374 JetBrains CVE debrief
A high-severity vulnerability in JetBrains TeamCity before version 2026.1 allows authenticated users with low privileges to access build configuration parameters due to improper permission checks. The vulnerability, published on May 29, 2026, carries a CVSS 3.1 score of 7.6 (HIGH) with a vector of CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:L/A:L. The underlying weakness is categorized as CWE-862 (Missing Authorization). Build configuration parameters in TeamCity frequently contain sensitive data including credentials, API keys, and deployment secrets. Exposure of these parameters could enable lateral movement, unauthorized access to downstream systems, or data exfiltration. The vulnerability requires network access and low-privilege authentication but no user interaction, making it exploitable by any authenticated user within the environment. JetBrains has addressed this issue in TeamCity 2026.1. Organizations should prioritize upgrading to the patched version and audit access logs for unauthorized parameter access attempts.
- Vendor
- JetBrains
- Product
- TeamCity
- CVSS
- HIGH 7.6
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2026-05-29
- Original CVE updated
- 2026-05-29
- Advisory published
- 2026-05-29
- Advisory updated
- 2026-05-29
Who should care
Organizations using JetBrains TeamCity for continuous integration and deployment, particularly those with multi-user environments where build configurations contain sensitive credentials or deployment secrets. Security teams responsible for CI/CD pipeline security and secrets management should prioritize this vulnerability due to the high confidentiality impact and common practice of storing credentials in build parameters.
Technical summary
CVE-2026-49374 is an authorization bypass vulnerability in JetBrains TeamCity prior to 2026.1. The application fails to properly validate permissions when accessing build configuration parameters, allowing authenticated users with low privileges to view sensitive configuration data. The CVSS 3.1 vector indicates network attack vector, low attack complexity, low privileges required, no user interaction, and high confidentiality impact with low integrity and availability impacts. Build configuration parameters in CI/CD systems typically store deployment credentials, cloud provider keys, database connection strings, and other secrets essential for automated builds. Unauthorized access to these parameters represents a significant supply chain security risk. The vulnerability is classified under CWE-862 (Missing Authorization), indicating the system does not perform adequate authorization checks before granting access to protected resources. Remediation requires upgrading to TeamCity 2026.1, which implements proper permission validation for build configuration parameter access.
Defensive priority
HIGH
Recommended defensive actions
- Upgrade JetBrains TeamCity to version 2026.1 or later to remediate the improper permission check vulnerability
- Review TeamCity access logs for unauthorized access to build configuration parameters, particularly from low-privilege accounts
- Audit build configuration parameters for exposed secrets and rotate any credentials that may have been accessible
- Implement principle of least privilege for TeamCity user accounts and restrict access to build configuration settings
- Enable TeamCity audit logging if not already configured to support future incident investigation
Evidence notes
Vulnerability description and CVSS data sourced from NVD record. Vendor attribution to JetBrains derived from CVE description and reference domain analysis. Patch availability confirmed via JetBrains security issues page. CWE-862 classification from official CVE record. No KEV listing or known ransomware campaign use identified.
Official resources
-
CVE-2026-49374 CVE record
CVE.org
-
CVE-2026-49374 NVD detail
NVD
-
Source item URL
nvd_modified
- Source reference
2026-05-29T19:16:27.310Z