JetBrains TeamCity vulnerability allows privilege escalation, API exposure (CVE-2026-44413)

JetBrains has patched a high-severity vulnerability (CVE-2026-44413) in TeamCity, its popular continuous integration and continuous delivery platform, and is urging organizations with on-premises and self-managed deployments to upgrade to the fixed version or implement a security patch.

About CVE-2026-44413

CVE-2026-44413 allows for privilege escalation, and may allow attackers to expose some parts of the TeamCity server API to unauthorized users.

TeamCity’s REST API is extensive, with many endpoints, some of which may expose sensitive information such as API tokens; Git credentials; secrets and passwords used in builds; build logs; usernames, email addresses and user roles.

Some of these secrets may be leveraged to access cloud infrastructure or source code repositories, and potentially compromise software delivery pipelines.

While exploitation of CVE-2026-44413 requires access to a TeamCity account, those can be acquired via brute force or credential stuffing attacks, from leaks of credentials stolen in previous breaches, or through social engineering.

Also, TeamCity instances occasionally have enabled “guest access”, allowing anyone to log in without credentials.

Update or patch

The vulnerability affects TeamCity On-Premises versions 2025.11.4 and earlier, and has been fixed in version 2026.1. The company also released a security patch plugin that can be installed on TeamCity versions 2017.1 and later.

“This vulnerability affects all TeamCity installations where the firewall permits inbound connections on ports other than the standard HTTP/HTTPS one used by TeamCity, or where build agents are running on the same host as the TeamCity server,” JetBrains added.

“As a general best practice, we strongly recommend restricting inbound network access to only required ports.”

In the past, JetBrains TeamCity on-premises servers have been targeted by both state-sponsored and financially motivated threat actors, leveraging authentication bypass (CVE-2023-42793, CVE-2024-27198) and patch traversal (CVE-2024-27199) vulnerabilities.

CVE-2026-44413 was privately reported by researcher Martin Orem of offensive security services provider Binary House, and there’s currently no mention of it being exploited by attackers.

Subscribe to our breaking news e-mail alert to never miss out on the latest breaches, vulnerabilities and cybersecurity threats. Subscribe here!