PatchSiren cyber security CVE debrief
CVE-2026-49379 JetBrains CVE debrief
A credentials exposure vulnerability in JetBrains TeamCity before version 2026.1 allows sensitive information to appear in thread names, potentially exposing credentials to users with local access to process listings or diagnostic outputs. The CVSS 3.1 vector (AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N) indicates network attack vector with low attack complexity, requiring low privileges and yielding high confidentiality impact. The vulnerability was published to CVE on May 29, 2026, with subsequent modification the same day. JetBrains has addressed this issue in TeamCity 2026.1.
- Vendor
- JetBrains
- Product
- TeamCity
- CVSS
- MEDIUM 6.5
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2026-05-29
- Original CVE updated
- 2026-05-29
- Advisory published
- 2026-05-29
- Advisory updated
- 2026-05-29
Who should care
Organizations running JetBrains TeamCity CI/CD infrastructure, particularly those with multi-user environments or shared build agent infrastructure. Security teams responsible for secrets management and CI/CD pipeline security. DevOps engineers managing TeamCity deployments with diagnostic or monitoring integrations that may expose thread information.
Technical summary
In JetBrains TeamCity versions prior to 2026.1, sensitive credentials could be embedded in Java thread names. Thread names are commonly exposed through process monitoring tools (ps, jstack, VisualVM), application logs, and diagnostic endpoints. This exposure mechanism creates an information disclosure pathway where credentials may be visible to users with sufficient privileges to view process information or access diagnostic outputs. The vulnerability is classified under CWE-522 (Insufficiently Protected Credentials) and carries a CVSS 3.1 score of 6.5 (MEDIUM) with high confidentiality impact. Network-accessible attack vector with low complexity and privilege requirements indicates that authenticated users with basic access may exploit this exposure. Remediation requires upgrading to TeamCity 2026.1, which eliminates credentials from thread naming patterns.
Defensive priority
medium
Recommended defensive actions
- Upgrade JetBrains TeamCity to version 2026.1 or later to remediate credentials exposure in thread names
- Review process monitoring and diagnostic output access controls to limit exposure of thread name information
- Audit TeamCity logs and diagnostic outputs for potential credential exposure if running affected versions
- Implement principle of least privilege for TeamCity administrative access
- Monitor for unauthorized access attempts to TeamCity diagnostic interfaces
Evidence notes
CVE description confirms credentials exposed in thread names. CVSS 6.5 (MEDIUM) with high confidentiality impact. CWE-522 (Insufficiently Protected Credentials) assigned. Vendor fix confirmed via JetBrains security issues page.
Official resources
-
CVE-2026-49379 CVE record
CVE.org
-
CVE-2026-49379 NVD detail
NVD
-
Source item URL
nvd_modified
- Source reference
2026-05-29