Description
In JetBrains TeamCity before 2025.11.3 missing authorization allowed project developers to add parameters to build configurations
Published: 2026-02-25
Score: 4.3 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Unauthorized configuration changes to TeamCity build parameters
Action: Patch
AI Analysis

Impact

TeamCity before 2025.11.3 failed to properly enforce authorization checks, enabling anyone with project developer rights to add new parameters to a build configuration. This mis‑authorization can let a user modify build behavior, inject undesired variables, or expose confidential data in the CI pipeline, potentially compromising build integrity and confidentiality. The weakness is identified as CWE‑862: Authorization Bypass Through User-Controlled Key.

Affected Systems

JetBrains TeamCity systems running any version earlier than 2025.11.3 are affected. No explicit patch version is listed, but all releases prior to 2025.11.3 are vulnerable.

Risk and Exploitability

The CVSS score of 4.3 indicates moderate severity. EPSS is less than 1%, showing a very low probability of exploitation at the time of this analysis, and the vulnerability is not listed in the CISA KEV catalog. Attackers would need project developer access; the bug allows elevation of their configuration privileges without additional zero‑day exploits. The likely attack vector is internal or compromised developer accounts with existing Access rights, so organizations with broad developer permissions should examine role assignments.

Generated by OpenCVE AI on April 17, 2026 at 15:17 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update TeamCity to 2025.11.3 or later to eliminate the missing authorization check.
  • Restrict project developer permissions to only those users who truly require the ability to add or modify build parameters.
  • Conduct a security review of build configuration access controls to ensure only authorized accounts can alter sensitive parameters.

Generated by OpenCVE AI on April 17, 2026 at 15:17 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Fri, 17 Apr 2026 15:45:00 +0000

Type Values Removed Values Added
Title Missing Authorization Allows Project Developers to Add Build Parameters

Wed, 25 Feb 2026 17:30:00 +0000

Type Values Removed Values Added
First Time appeared Jetbrains
Jetbrains teamcity
CPEs cpe:2.3:a:jetbrains:teamcity:*:*:*:*:*:*:*:*
Vendors & Products Jetbrains
Jetbrains teamcity

Wed, 25 Feb 2026 13:30:00 +0000

Type Values Removed Values Added
Description In JetBrains TeamCity before 2025.11.3 missing authorization allowed project developers to add parameters to build configurations
Weaknesses CWE-862
References
Metrics cvssV3_1

{'score': 4.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N'}

Subscriptions

Jetbrains Teamcity
cve-icon MITRE

Status: PUBLISHED

Assigner: JetBrains

Published:

Updated: 2026-02-25T14:42:36.845Z

Reserved: 2026-02-25T12:35:12.999Z

Link: CVE-2026-28195

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Analyzed

Published: 2026-02-25T14:16:21.040

Modified: 2026-02-25T17:17:05.450

Link: CVE-2026-28195

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-17T15:30:06Z

Weaknesses