PatchSiren cyber security CVE debrief
CVE-2026-49377 JetBrains CVE debrief
JetBrains TeamCity versions prior to 2025.11.2 expose sensitive data through default agent parameters. This information disclosure vulnerability (CWE-526) allows authenticated users with low privileges to access sensitive information that should not be exposed by default configuration. The CVSS 3.1 score of 4.3 (Medium severity) reflects network-based attack vector with low attack complexity, requiring low privileges but no user interaction. The vulnerability was disclosed by JetBrains through their security issues fixed page on May 29, 2026, and is currently undergoing analysis in the NVD. Organizations using affected TeamCity versions should upgrade to 2025.11.2 or later to remediate this exposure.
- Vendor
- JetBrains
- Product
- TeamCity
- CVSS
- MEDIUM 4.3
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2026-05-29
- Original CVE updated
- 2026-05-29
- Advisory published
- 2026-05-29
- Advisory updated
- 2026-05-29
Who should care
Organizations using JetBrains TeamCity for continuous integration and deployment should prioritize this patch, particularly those with multi-tenant environments or where build agents handle sensitive credentials. Security teams managing CI/CD infrastructure, DevOps engineers responsible for TeamCity administration, and compliance officers concerned with credential exposure in build pipelines should review their deployments.
Technical summary
This vulnerability exists in JetBrains TeamCity continuous integration server versions before 2025.11.2. The issue stems from default agent parameters that expose sensitive information to authenticated users. TeamCity build agents can be configured with various parameters that may include sensitive values such as credentials, API tokens, or internal system information. When these parameters are exposed by default, any user with low-privilege access to the TeamCity server can retrieve this sensitive data through normal API calls or web interface interactions. The exposure occurs without requiring user interaction, making it accessible to any authenticated attacker. The CVSS 3.1 vector (AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N) indicates network accessibility, low attack complexity, low privilege requirements, no user interaction, and impacts confidentiality only with low severity. This is classified under CWE-526: Exposure of Sensitive Information Through Environmental Variables, though in this case the exposure occurs through agent parameters rather than environment variables specifically.
Defensive priority
medium
Recommended defensive actions
- Upgrade JetBrains TeamCity to version 2025.11.2 or later to remediate the sensitive data exposure
- Review and audit default agent parameters in TeamCity configurations to identify any exposed sensitive values
- Verify that build agent configurations do not inadvertently expose credentials, tokens, or other sensitive data through environment variables or system properties
- Monitor TeamCity agent logs and build outputs for unexpected sensitive data disclosure
- If immediate upgrade is not possible, review JetBrains security advisory for potential configuration-based mitigations
Evidence notes
The vulnerability description and affected product information are sourced from the official CVE record and NVD entry. The vendor attribution to JetBrains is supported by the reference domain evidence and the security advisory link from [email protected]. The CVSS vector confirms network accessibility with authentication required.
Official resources
-
CVE-2026-49377 CVE record
CVE.org
-
CVE-2026-49377 NVD detail
NVD
-
Source item URL
nvd_modified
- Source reference
JetBrains disclosed this vulnerability through their official security issues fixed page on May 29, 2026. The CVE was published to NVD the same day with status 'Undergoing Analysis'.