HarborGuard / CVE
Back to search
HIGHCVE-2026-49374Published Modified CNA JetBrains

CVE-2026-49374: In JetBrains TeamCity before 2026

In JetBrains TeamCity before 2026.1 improper permission checks exposed build configuration parameters

HarborGuard Analysis

HarborGuard analysis

Synopsis

This is a broken access control flaw in JetBrains TeamCity where missing permission checks expose build configuration parameters to users who should not see them. The bug is reachable over the network by any authenticated TeamCity user with a low-privilege account, and successful exploitation lets the attacker read sensitive build parameters and make limited modifications or service disruptions. A patched-image rebuild at TeamCity 2026.1 is available on HarborGuard for affected environments.

HarborGuard Coverage

Detection

Detection is available across every HarborGuard environment, with the CVE ingested from upstream feeds within minutes of publication and matched against TeamCity images in customer registries and CI pipelines. Coverage extends to custom-built images that bundle or layer TeamCity, not just official upstream tags.

Available
Triage

Triage is available with the JetBrains CVSS 7.6 high-severity score weighted against each customer's compliance policy, so an internal CI server and an internet-exposed build cluster get scored and prioritized differently. Findings route to the inbox configured for the owning team inside each customer org.

Available
Patch

A patched-image rebuild at TeamCity 2026.1 becomes available on HarborGuard once the fix version is ingested. For customers who opt into auto-remediation, the rebuild runs through regression tests and a pull request is opened against affected workloads referencing the vulnerable image.

Available

Exploit Conditions

  • Network reachabilityRequired

    The attacker needs network reach to the TeamCity server's web interface or API.

  • AuthenticationRequired

    Any low-privilege TeamCity user account is sufficient to trigger the missing permission check.

  • Victim interactionNot required

    No action from another user or administrator is needed to reach the vulnerable code path.

  • Attack complexityDetail

    Attack complexity is low, meaning the request is reliable and does not depend on timing or environmental conditions.

Blast Radius

  • Reads build configuration parameters that frequently contain secrets such as deployment tokens, registry credentials, and signing keys.
  • Performs limited tampering with build-related data exposed through the same weak permission check.
  • Causes limited service disruption to TeamCity build operations through the affected endpoints.

How HarborGuard Handles This

Available on HarborGuard: a patched-image rebuild at TeamCity 2026.1 for environments running an affected version. For customers with auto-remediation enabled, the rebuild is regression-tested and a PR is opened against workloads referencing the vulnerable image; median time from CVE publication to merged patch PR for high-severity issues is around 90 minutes in those environments. Where auto-remediation is gated by compliance policy, the rebuilt image is staged for manual review and promotion.

See how HarborGuard automates this

Metrics

CVSS v3.1
7.6
Severity
HIGH
Fixed in
2026.1
Affected Products
1

Fix available

2026.1
Affected packages
  • JetBrains / TeamCity
    < 2026.1 (from 0)
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:L/A:L
References