PatchSiren cyber security CVE debrief
CVE-2026-49378 JetBrains CVE debrief
A medium-severity information disclosure vulnerability in JetBrains TeamCity before version 2026.1 exposes credential parameters through the parameter autocompletion feature. Authenticated users with low privileges can leverage this UI behavior to discover sensitive credential values that should remain concealed. The CVSS 3.1 vector (AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N) indicates network-accessible attack vector with low attack complexity, requiring low privileges but no user interaction, resulting in low confidentiality impact with no integrity or availability effects. The vulnerability is classified under CWE-862 (Missing Authorization). JetBrains has addressed this issue in TeamCity 2026.1, as documented in their security advisories.
- Vendor
- JetBrains
- Product
- TeamCity
- CVSS
- MEDIUM 4.3
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2026-05-29
- Original CVE updated
- 2026-05-29
- Advisory published
- 2026-05-29
- Advisory updated
- 2026-05-29
Who should care
Organizations running JetBrains TeamCity CI/CD infrastructure, particularly those storing deployment credentials, API keys, or service account passwords in build configuration parameters. Security teams responsible for secrets management in development pipelines, DevOps engineers managing TeamCity instances, and compliance officers monitoring for credential exposure risks in build automation environments.
Technical summary
In JetBrains TeamCity versions prior to 2026.1, the parameter autocompletion functionality fails to properly restrict visibility of credential-type parameters. When users interact with parameter input fields that trigger autocompletion suggestions, the system exposes credential parameter values that should be masked or hidden. This occurs due to insufficient authorization checks on the autocompletion data source, allowing authenticated users with build configuration access to enumerate sensitive credential values through normal UI interaction. The exposure is limited to the autocompletion context and does not require administrative privileges or specialized tools to trigger.
Defensive priority
medium
Recommended defensive actions
- Upgrade JetBrains TeamCity to version 2026.1 or later to remediate credential exposure via parameter autocompletion
- Review TeamCity build configuration parameter usage to identify any credentials that may have been inadvertently exposed through autocompletion prior to patching
- Audit access logs for authenticated user sessions that may have accessed build configuration parameters containing sensitive credentials
- Consider implementing additional access controls on build configuration editing permissions to limit exposure of credential parameters
- Monitor for unauthorized access attempts to credential parameters in TeamCity environments that cannot be immediately patched
Evidence notes
Vulnerability confirmed through official JetBrains security advisory channel ([email protected]) and NVD entry. Fix version 2026.1 explicitly stated in source description. CVSS vector and CWE classification sourced from NVD metadata.
Official resources
-
CVE-2026-49378 CVE record
CVE.org
-
CVE-2026-49378 NVD detail
NVD
-
Source item URL
nvd_modified
- Source reference
2026-05-29