HarborGuard / CVE
Back to search
HIGHCVE-2026-49372Published Modified CNA JetBrains

CVE-2026-49372: In JetBrains TeamCity before 2026

In JetBrains TeamCity before 2026.1, 2025.11.5 unauthenticated SSRF via build status was possible

HarborGuard Analysis

HarborGuard analysis

Synopsis

Unauthenticated server-side request forgery (SSRF) in JetBrains TeamCity's build status feature. The bug is reachable over the network with no authentication and no user interaction, letting an attacker coerce the TeamCity server into making outbound requests on the attacker's behalf and reading the responses, which exposes internal services, cloud metadata endpoints, and other resources reachable from the TeamCity host. Patched-image rebuilds at TeamCity 2026.1 and 2025.11.5 are available on HarborGuard for affected environments.

HarborGuard Coverage

Detection

Detection is available across every HarborGuard environment: this CVE is ingested from upstream feeds within minutes of publication and matched against TeamCity images in customer registries and CI/CD pipelines, including custom-built images that embed TeamCity.

Available
Triage

Triage is available with the JetBrains CVSS 7.5 (HIGH) score reflected in each environment, weighted against the customer's compliance policy (for example, externally exposed CI servers raise the effective priority) and routed to the appropriate inbox inside the customer org.

Available
Patch

Patched-image rebuilds at TeamCity 2026.1 or 2025.11.5 become available on HarborGuard for affected environments; for customers who opt into auto-remediation, the platform rebuilds the image, runs the regression suite, and opens a PR against workloads pinned to vulnerable TeamCity versions.

Available

Exploit Conditions

  • Network reachabilityRequired

    The attacker must reach the TeamCity HTTP interface over the network to trigger the build status endpoint.

  • AuthenticationNot required

    No credentials are needed; the SSRF is reachable by anonymous unauthenticated requests.

  • Victim interactionNot required

    No user action is required; the attacker drives the request directly against the server.

  • Attack complexityDetail

    AC:L indicates the exploit is reliable and does not depend on race conditions or environmental factors.

Blast Radius

  • Reads responses from internal HTTP services that the TeamCity server can reach but external attackers cannot.
  • Retrieves cloud instance metadata (for example AWS IMDS) when TeamCity runs in a cloud VM, which can expose temporary credentials.
  • Maps internal network topology by probing hosts and ports through the TeamCity server.
  • No direct integrity or availability impact: the CVSS vector reports I:N and A:N, so the bug is confidentiality-only.

How HarborGuard Handles This

Available on HarborGuard: patched-image rebuilds at TeamCity 2026.1 and 2025.11.5 are published as soon as the upstream fix lands, and for environments with auto-remediation enabled the platform rebuilds affected images, runs the regression suite, and opens a PR against workloads pinned to the vulnerable versions. Median time from CVE publication to merged patch PR for high-severity issues is around 90 minutes for environments with auto-remediation enabled. For environments that cannot upgrade immediately, HarborGuard surfaces compensating-control suggestions such as restricting TeamCity egress to known build dependencies and blocking access to cloud metadata endpoints from the TeamCity host.

See how HarborGuard automates this

Metrics

CVSS v3.1
7.5
Severity
HIGH
Fixed in
2026.1, 2025.11.5
Affected Products
1

Fix available

2026.1, 2025.11.5
Affected packages
  • JetBrains / TeamCity
    < 2026.1, 2025.11.5 (from 0)
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
References
CVE-2026-49372: In JetBrains TeamCity before 2026 | HarborGuard CVE