Description
In JetBrains TeamCity before 2025.11.3 disabling versioned settings left a credentials config on disk
Published: 2026-02-25
Score: 2.3 Low
EPSS: < 1% Very Low
KEV: No
Impact: Credential Leakage
Action: Patch Promptly
AI Analysis

Impact

A flaw in JetBrains TeamCity versions before 2025.11.3 allows a disabling of versioned settings to leave a credentials configuration file permanently on disk, exposing authentication data. This is classified as an improper handling of security data weakness.

Affected Systems

All installations of JetBrains TeamCity running a version earlier than 2025.11.3 are affected, regardless of edition.

Risk and Exploitability

The CVSS score is 2.3, indicating low severity. The EPSS score of less than 1% suggests a very small chance of exploitation. The vulnerability is not listed in the CISA KEV catalog. Based on the description, it is inferred that an attacker would need local file system access to read the residual credentials file, or a prior compromise that allows read of the configuration directory. Because the credentials are stored on disk, compromise of the file can lead to unauthorized access to TeamCity services and potentially other systems where those credentials are reused.

Generated by OpenCVE AI on April 18, 2026 at 10:44 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update TeamCity to version 2025.11.3 or later to remove the flaw
  • After upgrading, verify that no legacy credentials files remain in the configuration directory
  • Apply appropriate file system permissions to restrict read access to credential files to only the TeamCity service account

Generated by OpenCVE AI on April 18, 2026 at 10:44 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Sat, 18 Apr 2026 11:00:00 +0000

Type Values Removed Values Added
Title Credentials Configuration Left on Disk After Disabling Versioned Settings

Wed, 25 Feb 2026 17:30:00 +0000

Type Values Removed Values Added
First Time appeared Jetbrains
Jetbrains teamcity
CPEs cpe:2.3:a:jetbrains:teamcity:*:*:*:*:*:*:*:*
Vendors & Products Jetbrains
Jetbrains teamcity

Wed, 25 Feb 2026 15:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Wed, 25 Feb 2026 13:30:00 +0000

Type Values Removed Values Added
Description In JetBrains TeamCity before 2025.11.3 disabling versioned settings left a credentials config on disk
Weaknesses CWE-459
References
Metrics cvssV3_1

{'score': 2.3, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:L/I:N/A:N'}

Subscriptions

Jetbrains Teamcity
cve-icon MITRE

Status: PUBLISHED

Assigner: JetBrains

Published:

Updated: 2026-02-25T14:40:40.502Z

Reserved: 2026-02-25T12:35:13.328Z

Link: CVE-2026-28196

cve-icon Vulnrichment

Updated: 2026-02-25T14:40:07.524Z

cve-icon NVD

Status : Analyzed

Published: 2026-02-25T14:16:21.200

Modified: 2026-02-25T17:17:14.643

Link: CVE-2026-28196

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-18T10:45:43Z

Weaknesses