Description
In JetBrains TeamCity before 2025.11.2 exposure of sensitive data via default agent parameters
Published: 2026-05-29
Score: 4.3 Medium
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

JetBrains TeamCity exposes sensitive data through default agent parameters. The flaw allows an attacker who can read these default settings to obtain confidential information such as authentication secrets or project credentials. As a result, confidentiality is compromised, enabling further malicious activity against projects managed by the affected TeamCity instance. The weakness is classified as CWE-526, which relates to the improper handling of sensitive data.

Affected Systems

JetBrains TeamCity installations running any version released prior to 2025.11.2 are affected. The issue is inherent to the default agent configuration shipped with those releases.

Risk and Exploitability

The CVSS score of 4.3 categorizes this vulnerability as medium severity, emphasizing that mitigating it is advisable but not a critical emergency. No EPSS score is available, and the vulnerability is not listed in the CISA KEV catalog. The likely attack vector is inferred to be the exposure of agent parameters within the TeamCity configuration, which may be accessed by users with sufficient permissions or by anyone who can read the agent configuration files or API responses. The risk is primarily the accidental disclosure of confidential credentials rather than criminal exploitation, so the likelihood of active compromise is moderate and largely contingent on the internal security posture of the deployment.

Generated by OpenCVE AI on May 29, 2026 at 19:38 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade JetBrains TeamCity to version 2025.11.2 or later, which removes the default agent parameter exposure and implements proper secure handling of sensitive data.
  • Immediately review and modify any custom agent parameters to ensure that credentials or secrets are not stored in plain text and that only authorized roles can access them.
  • If an upgrade cannot be applied quickly, temporarily disable the feature that exposes default agent parameters or restrict access to the agent configuration to internal network segments or privileged users.

Generated by OpenCVE AI on May 29, 2026 at 19:38 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Fri, 29 May 2026 20:45:00 +0000

Type Values Removed Values Added
First Time appeared Jetbrains
Jetbrains teamcity
Vendors & Products Jetbrains
Jetbrains teamcity

Fri, 29 May 2026 20:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Fri, 29 May 2026 18:30:00 +0000

Type Values Removed Values Added
Description In JetBrains TeamCity before 2025.11.2 exposure of sensitive data via default agent parameters
Weaknesses CWE-526
References
Metrics cvssV3_1

{'score': 4.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N'}

Subscriptions

Jetbrains Teamcity
cve-icon MITRE

Status: PUBLISHED

Assigner: JetBrains

Published:

Updated: 2026-05-29T19:29:16.691Z

Reserved: 2026-05-29T18:07:57.451Z

Link: CVE-2026-49377

cve-icon Vulnrichment

Updated: 2026-05-29T19:29:12.113Z

cve-icon NVD

Status : Undergoing Analysis

Published: 2026-05-29T19:16:27.650

Modified: 2026-05-29T20:11:15.977

Link: CVE-2026-49377

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-29T20:45:07Z

Weaknesses