JetBrains Patches High-Severity Vulnerability (CVE-2026-44413) in TeamCity On-Premises
High-Severity Flaw in JetBrains TeamCity On-Premises Allows API Exposure (CVE-2026-44413)
Related Entities(initial)
Organizations
Products & Tech
Other
CVE Identifiers
Full Report(when first published)
Executive Summary
JetBrains has released a security advisory for a high-severity vulnerability, CVE-2026-44413, affecting TeamCity On-Premises continuous integration and deployment servers. The vulnerability is a post-authentication flaw that enables any authenticated user, even those with minimal privileges, to expose certain server API endpoints to unauthenticated users. This could lead to information disclosure or further attacks. The issue impacts all versions of TeamCity On-Premises up to and including 2025.11.4. JetBrains has addressed the vulnerability in the new version 2026.1 and has also made a security patch plugin available for older versions. TeamCity Cloud customers are not affected.
Vulnerability Details
- CVE ID: CVE-2026-44413
- Severity: High
- Type: Post-Authentication Privilege Escalation / API Exposure
The core of the vulnerability lies in a flaw that allows an authenticated user to manipulate the server in such a way that specific API endpoints become accessible without authentication. This means a low-privileged user (e.g., one with read-only access) could trigger the flaw and then an external, unauthenticated attacker could interact with the exposed API endpoints. The advisory notes the risk is heightened in environments where firewall rules permit inbound connections on non-standard ports or where build agents run on the same host as the TeamCity server.
Affected Systems
- All versions of JetBrains TeamCity On-Premises up to and including version 2025.11.4 are affected.
- TeamCity Cloud is not affected.
Exploitation Status
The vulnerability was privately reported to JetBrains by researcher Martin Orem on April 30, 2026. While one source title mentions 'active exploitation', the body of the articles indicates a responsible disclosure process. However, as with any publicly disclosed vulnerability in a popular tool like TeamCity, administrators should assume that attackers will develop exploits quickly. TeamCity servers are high-value targets as they often contain source code, credentials, and artifacts for an entire organization.
Impact Assessment
A successful exploit of CVE-2026-44413 could have severe consequences. By exposing server APIs, an attacker could potentially:
- Gain access to sensitive information stored on the TeamCity server, such as project names, build configurations, and user data.
- Depending on the specific APIs exposed, an attacker might be able to trigger builds, access build artifacts (which could contain sensitive secrets), or manipulate server settings.
- Chain this vulnerability with others to achieve remote code execution or full server compromise. Given that TeamCity is at the heart of the software development lifecycle for many organizations, a compromise could lead to a catastrophic supply chain attack.
Cyber Observables — Hunting Hints
The following patterns may help identify vulnerable or compromised systems:
- Server Version: Check the version of your TeamCity server. If it is 2025.11.4 or older, it is vulnerable.
- Network Logs: Monitor for unusual inbound connections to your TeamCity server's API endpoints (
/app/rest/) from unexpected or external IP addresses. This could indicate that an API has been exposed and is being probed or exploited. - Audit Logs: Review TeamCity's audit logs for suspicious actions taken by low-privileged users that shortly precede anomalous API activity. Look for any configuration changes or actions that seem out of character for a given user's role.
Detection Methods
- Asset Inventory: Maintain an accurate inventory of all TeamCity instances and their versions to quickly identify vulnerable servers.
- Web Application Firewall (WAF): A WAF could be configured with rules to block direct external access to sensitive API endpoints, but this would be a reactive measure. The primary defense is patching.
- Log Analysis: Ingest TeamCity access and audit logs into a SIEM. Create rules to alert on a spike in API errors or access attempts from unauthenticated sources, which could signal that an API has been improperly exposed.
Remediation Steps
JetBrains has provided clear remediation paths:
- Upgrade (Recommended): The best course of action is to upgrade your TeamCity On-Premises server to version 2026.1 or newer. This version contains the definitive fix for the vulnerability.
- Install Security Patch Plugin (Workaround): If an immediate upgrade is not possible, a security patch plugin is available.
- This plugin is compatible with TeamCity versions 2017.1 and newer.
- For versions 2018.2 and newer, the plugin can be installed without requiring a server restart.
- This should be considered a temporary mitigation until a full upgrade can be performed.
Administrators should prioritize the remediation of internet-facing TeamCity servers.
Timeline of Events
Article Updates
May 17, 2026
Severity increasedJetBrains urges immediate patch for TeamCity flaw, detailing supply chain risks and enhanced mitigation strategies.
The new article, dated May 17, 2026, reinforces the critical need for immediate patching of CVE-2026-44413 in JetBrains TeamCity. It significantly expands on the potential impact, detailing how a compromise could lead to devastating supply chain attacks, similar to SolarWinds, by enabling attackers to steal source code (T1213), inject malicious code (T1195.002), and steal credentials (T1552). It also provides enhanced detection methods, including reviewing audit and web server logs, and monitoring build agents. Additional remediation steps are advised, such as restricting server access, regularly auditing user permissions, and securing build scripts, emphasizing Network Isolation (D3-NI).
Update Sources:
Timeline of Events
The vulnerability was privately reported to JetBrains by researcher Martin Orem.
JetBrains releases a public advisory and patches for CVE-2026-44413.
Sources & References(when first published)
Article Author
Jason Gomes
• Cybersecurity PractitionerCybersecurity professional with over 10 years of specialized experience in security operations, threat intelligence, incident response, and security automation. Expertise spans SOAR/XSOAR orchestration, threat intelligence platforms, SIEM/UEBA analytics, and building cyber fusion centers. Background includes technical enablement, solution architecture for enterprise and government clients, and implementing security automation workflows across IR, TIP, and SOC use cases.
Tags
📢 Share This Article
Help others stay informed about cybersecurity threats
🎯 MITRE ATT&CK Mapped
Every tactic, technique, and sub-technique used in this threat has been identified and mapped to the MITRE ATT&CK framework for consistent, actionable threat language.
🧠 Enriched & Analyzed
Observables and indicators of compromise (IOCs) have been extracted and cataloged. Risk has been assessed and correlated with known threat actors and historical campaigns.
🛡️ Actionable Guidance
Detection rules, incident response steps, and D3FEND-aligned mitigation strategies are included so your team can act on this intelligence immediately.
🔗 STIX Visualizer
Structured threat data is packaged as a STIX 2.1 bundle and can be visualized as an interactive graph — relationships between actors, malware, techniques, and indicators.
⚡ Sigma Generator
Sigma detection rules are derived from the threat techniques in this article and can be converted for deployment across any major SIEM or EDR platform.