JetBrains Patches High-Severity Vulnerability (CVE-2026-44413) in TeamCity On-Premises
High-Severity Flaw in JetBrains TeamCity On-Premises Allows API Exposure (CVE-2026-44413)
CVE Identifiers
Full Report
Executive Summary
JetBrains has released a security advisory for a high-severity vulnerability, CVE-2026-44413, affecting TeamCity On-Premises continuous integration and deployment servers. The vulnerability is a post-authentication flaw that enables any authenticated user, even those with minimal privileges, to expose certain server API endpoints to unauthenticated users. This could lead to information disclosure or further attacks. The issue impacts all versions of TeamCity On-Premises up to and including 2025.11.4. JetBrains has addressed the vulnerability in the new version 2026.1 and has also made a security patch plugin available for older versions. TeamCity Cloud customers are not affected.
Vulnerability Details
- CVE ID: CVE-2026-44413
- Severity: High
- Type: Post-Authentication Privilege Escalation / API Exposure
The core of the vulnerability lies in a flaw that allows an authenticated user to manipulate the server in such a way that specific API endpoints become accessible without authentication. This means a low-privileged user (e.g., one with read-only access) could trigger the flaw and then an external, unauthenticated attacker could interact with the exposed API endpoints. The advisory notes the risk is heightened in environments where firewall rules permit inbound connections on non-standard ports or where build agents run on the same host as the TeamCity server.
Affected Systems
- All versions of JetBrains TeamCity On-Premises up to and including version 2025.11.4 are affected.
- TeamCity Cloud is not affected.
Exploitation Status
The vulnerability was privately reported to JetBrains by researcher Martin Orem on April 30, 2026. While one source title mentions 'active exploitation', the body of the articles indicates a responsible disclosure process. However, as with any publicly disclosed vulnerability in a popular tool like TeamCity, administrators should assume that attackers will develop exploits quickly. TeamCity servers are high-value targets as they often contain source code, credentials, and artifacts for an entire organization.
Impact Assessment
A successful exploit of CVE-2026-44413 could have severe consequences. By exposing server APIs, an attacker could potentially:
- Gain access to sensitive information stored on the TeamCity server, such as project names, build configurations, and user data.
- Depending on the specific APIs exposed, an attacker might be able to trigger builds, access build artifacts (which could contain sensitive secrets), or manipulate server settings.
- Chain this vulnerability with others to achieve remote code execution or full server compromise. Given that TeamCity is at the heart of the software development lifecycle for many organizations, a compromise could lead to a catastrophic supply chain attack.
Cyber Observables — Hunting Hints
The following patterns may help identify vulnerable or compromised systems:
- Server Version: Check the version of your TeamCity server. If it is 2025.11.4 or older, it is vulnerable.
- Network Logs: Monitor for unusual inbound connections to your TeamCity server's API endpoints (
/app/rest/) from unexpected or external IP addresses. This could indicate that an API has been exposed and is being probed or exploited. - Audit Logs: Review TeamCity's audit logs for suspicious actions taken by low-privileged users that shortly precede anomalous API activity. Look for any configuration changes or actions that seem out of character for a given user's role.
Detection Methods
- Asset Inventory: Maintain an accurate inventory of all TeamCity instances and their versions to quickly identify vulnerable servers.
- Web Application Firewall (WAF): A WAF could be configured with rules to block direct external access to sensitive API endpoints, but this would be a reactive measure. The primary defense is patching.
- Log Analysis: Ingest TeamCity access and audit logs into a SIEM. Create rules to alert on a spike in API errors or access attempts from unauthenticated sources, which could signal that an API has been improperly exposed.
Remediation Steps
JetBrains has provided clear remediation paths:
- Upgrade (Recommended): The best course of action is to upgrade your TeamCity On-Premises server to version 2026.1 or newer. This version contains the definitive fix for the vulnerability.
- Install Security Patch Plugin (Workaround): If an immediate upgrade is not possible, a security patch plugin is available.
- This plugin is compatible with TeamCity versions 2017.1 and newer.
- For versions 2018.2 and newer, the plugin can be installed without requiring a server restart.
- This should be considered a temporary mitigation until a full upgrade can be performed.
Administrators should prioritize the remediation of internet-facing TeamCity servers.
Timeline of Events
MITRE ATT&CK Mitigations
Update Software
The most effective mitigation is to upgrade to a patched version of TeamCity (2026.1 or newer) or apply the provided security plugin.
Restrict network access to the TeamCity server and its API endpoints to trusted internal IP ranges only. Do not expose TeamCity servers directly to the internet.
Privileged Account Management
Regularly audit user permissions within TeamCity, applying the principle of least privilege to limit the potential impact of a compromised low-privilege account.
D3FEND Defensive Countermeasures
The primary and most critical action for mitigating CVE-2026-44413 is to perform a software update. JetBrains has provided a direct solution in TeamCity version 2026.1. Administrators of On-Premises instances must prioritize this upgrade. For internet-facing servers, this should be considered an emergency change. The upgrade process involves backing up the current TeamCity instance, running the installer for the new version, and verifying functionality post-upgrade. For organizations unable to perform an immediate full upgrade, the provided security patch plugin acts as a vital stop-gap. This plugin specifically addresses the API exposure flaw and can be installed quickly, often without a server restart. This two-tiered approach from JetBrains allows for both immediate risk reduction and a permanent fix.
As a defense-in-depth measure, Inbound Traffic Filtering is crucial for protecting high-value assets like TeamCity servers. TeamCity On-Premises instances should never be directly exposed to the public internet. Access should be restricted using a combination of firewalls, reverse proxies, and VPNs. Firewall rules should be configured to only allow access to the TeamCity web interface (ports 80/443) from a limited set of trusted IP addresses, such as corporate offices or a VPN gateway. Access to the API endpoints (/app/rest/*) from external, untrusted sources should be explicitly blocked at the network edge. This ensures that even if a vulnerability like CVE-2026-44413 is triggered, an external unauthenticated attacker cannot reach the exposed API to exploit it.
While this vulnerability allowed any authenticated user to trigger it, adhering to the principle of least privilege can limit the attack surface and potential for discovery. A thorough audit of User Account Permissions within TeamCity should be conducted. Users should only be granted the minimum permissions required to perform their jobs. For example, developers who only need to view build statuses should not have accounts that can also administer projects. By minimizing the number of authenticated users and the scope of their permissions, you reduce the number of accounts that could be compromised (via phishing, etc.) and used to trigger such a post-authentication flaw. This is a foundational security practice that hardens the application against a wide range of threats.
Timeline of Events
The vulnerability was privately reported to JetBrains by researcher Martin Orem.
JetBrains releases a public advisory and patches for CVE-2026-44413.
Sources & References
Article Author
Jason Gomes
• Cybersecurity PractitionerCybersecurity professional with over 10 years of specialized experience in security operations, threat intelligence, incident response, and security automation. Expertise spans SOAR/XSOAR orchestration, threat intelligence platforms, SIEM/UEBA analytics, and building cyber fusion centers. Background includes technical enablement, solution architecture for enterprise and government clients, and implementing security automation workflows across IR, TIP, and SOC use cases.
Tags
📢 Share This Article
Help others stay informed about cybersecurity threats
🎯 MITRE ATT&CK Mapped
Every tactic, technique, and sub-technique used in this threat has been identified and mapped to the MITRE ATT&CK framework for consistent, actionable threat language.
🧠 Enriched & Analyzed
Observables and indicators of compromise (IOCs) have been extracted and cataloged. Risk has been assessed and correlated with known threat actors and historical campaigns.
🛡️ Actionable Guidance
Detection rules, incident response steps, and D3FEND-aligned mitigation strategies are included so your team can act on this intelligence immediately.
🔗 STIX Visualizer
Structured threat data is packaged as a STIX 2.1 bundle and can be visualized as an interactive graph — relationships between actors, malware, techniques, and indicators.
⚡ Sigma Generator
Sigma detection rules are derived from the threat techniques in this article and can be converted for deployment across any major SIEM or EDR platform.