Description
In JetBrains TeamCity before 2026.1
2025.11.5 authenticated users could expose server API to unauthorised access
Published: 2026-05-11
Score: 8.2 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

JetBrains TeamCity versions prior to 2026.1, including 2025.11.5, contain a flaw that allows authenticated users to expose the server API to unauthorized access. The lack of proper authentication enforcement means that any user who can log in can potentially exploit the exposed API endpoints, leading to unauthorized data exposure or manipulation. This is classified as a CWE‑306 weakness, which reflects an authentication bypass or missing credential checks.

Affected Systems

The affected product is JetBrains TeamCity. All installations of TeamCity released before the 2026.1 version, including the 2025.11.5 build, are vulnerable.

Risk and Exploitability

The CVSS score of 8.2 indicates a high severity impact. The EPSS score is not available, and the vulnerability is not listed in the CISA KEV catalog. The likely attack vector requires an attacker to have valid credentials to log in first; once authenticated, the attacker can abuse the exposed API endpoints. Given the high severity and the need for authenticated access, the exploitation risk is moderate to high, especially in environments where TeamCity exposes additional services or sensitive data.

Generated by OpenCVE AI on May 11, 2026 at 19:35 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the latest JetBrains TeamCity update that addresses the authentication flaw
  • Restrict API access to the minimum set of users and disable any unused API endpoints
  • Segregate the TeamCity server from critical internal services and monitor API traffic for anomalies

Generated by OpenCVE AI on May 11, 2026 at 19:35 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Tue, 12 May 2026 20:00:00 +0000

Type Values Removed Values Added
CPEs cpe:2.3:a:jetbrains:teamcity:*:*:*:*:*:*:*:*

Mon, 11 May 2026 20:00:00 +0000

Type Values Removed Values Added
Title Authenticated Users May Expose TeamCity Server API to Unauthorized Access
First Time appeared Jetbrains
Jetbrains teamcity
Vendors & Products Jetbrains
Jetbrains teamcity

Mon, 11 May 2026 18:00:00 +0000

Type Values Removed Values Added
Description In JetBrains TeamCity before 2026.1 2025.11.5 authenticated users could expose server API to unauthorised access
Weaknesses CWE-306
References
Metrics cvssV3_1

{'score': 8.2, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N'}

Subscriptions

Jetbrains Teamcity
cve-icon MITRE

Status: PUBLISHED

Assigner: JetBrains

Published:

Updated: 2026-05-11T18:35:23.104Z

Reserved: 2026-05-06T10:13:50.755Z

Link: CVE-2026-44413

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Analyzed

Published: 2026-05-11T18:16:38.053

Modified: 2026-05-12T19:59:34.543

Link: CVE-2026-44413

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-11T19:45:08Z

Weaknesses