PatchSiren cyber security CVE debrief
CVE-2026-49376 JetBrains CVE debrief
A medium-severity authentication bypass vulnerability exists in JetBrains TeamCity's SAML plugin prior to version 2026.1. Insufficient username validation during SAML authentication processing could allow an attacker to potentially impersonate legitimate users or gain unauthorized access to the CI/CD platform. The vulnerability stems from improper authorization controls (CWE-863) in the SAML identity provider integration, where crafted SAML assertions may not be sufficiently validated against expected username formats or constraints. This affects organizations using SAML-based single sign-on for TeamCity authentication. The CVSS 3.1 vector (AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N) indicates network-accessible exploitation with low complexity, no privileges required, and no user interaction needed, yielding low impacts to confidentiality and integrity. Organizations should upgrade to TeamCity 2026.1 or later and review SAML configuration for proper username attribute mapping and validation rules.
- Vendor
- JetBrains
- Product
- TeamCity
- CVSS
- MEDIUM 6.5
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2026-05-29
- Original CVE updated
- 2026-05-29
- Advisory published
- 2026-05-29
- Advisory updated
- 2026-05-29
Who should care
Organizations running JetBrains TeamCity with SAML-based single sign-on enabled, particularly those in regulated industries relying on CI/CD pipeline security. Security teams responsible for identity and access management in development environments, as well as DevOps engineers managing TeamCity infrastructure, should prioritize this patch.
Technical summary
The SAML plugin in JetBrains TeamCity before 2026.1 fails to properly validate usernames extracted from SAML assertions during the authentication process. This insufficient validation (CWE-863) could allow an attacker to submit crafted SAML responses that bypass expected username constraints, potentially leading to account impersonation or unauthorized access. The vulnerability is remotely exploitable without authentication or user interaction. The fix in version 2026.1 implements proper username validation within the SAML authentication flow.
Defensive priority
medium
Recommended defensive actions
- Upgrade JetBrains TeamCity to version 2026.1 or later to address the SAML plugin username validation vulnerability
- Review SAML identity provider configuration to ensure proper username attribute mapping and validation rules are enforced
- Audit existing TeamCity user accounts for any unauthorized access or anomalous authentication patterns from SAML logins
- Verify that SAML assertions are properly validated against expected username formats and organizational naming conventions
- Consider implementing additional authentication logging and monitoring for SAML-based logins to detect potential impersonation attempts
- If immediate patching is not feasible, evaluate temporary restrictions on SAML authentication or enhanced verification steps for sensitive CI/CD operations
Evidence notes
Vulnerability disclosed via JetBrains security advisory and published to NVD on 2026-05-29. CVE description confirms insufficient username validation in SAML plugin. CVSS 3.1 score of 6.5 assigned with MEDIUM severity. CWE-863 (Incorrect Authorization) identified as primary weakness. Fix version 2026.1 specified in advisory.
Official resources
-
CVE-2026-49376 CVE record
CVE.org
-
CVE-2026-49376 NVD detail
NVD
-
Source item URL
nvd_modified
- Source reference
2026-05-29