Description
In JetBrains TeamCity before 2026.1 credentials parameters were exposed via parameter autocompletion
Published: 2026-05-29
Score: 4.3 Medium
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

This vulnerability arises from JetBrains TeamCity's parameter autocompletion feature exposing credentials parameters, which can be read by anyone who can access the autocomplete UI. The flaw is a missing authorization issue (CWE‑862) that allows an attacker to view sensitive session data or passwords that should remain confidential. Consequences include potential credential theft, privilege escalation, or unauthorized access to protected resources.

Affected Systems

All JetBrains TeamCity releases prior to version 2026.1 are affected. Users running any earlier build should assume that credentials may be exposed through the web interface until a fixing release is applied.

Risk and Exploitability

The CVSS score of 4.3 indicates a medium severity impact, and the vulnerability is not listed in CISA KEV. EPSS data is unavailable, so the risk of exploitation cannot be precisely quantified, but the public nature of the parameter autocompletion UI means it could be abused by both authenticated and unauthenticated users who can reach the web interface. The attack does not require local access – remote users with web UI access can trigger the autocompletion feature, revealing the credentials.

Generated by OpenCVE AI on May 29, 2026 at 20:05 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade JetBrains TeamCity to version 2026.1 or later, which removes the credential exposure in parameter autocompletion.
  • If an upgrade is not immediately possible, disable the parameter autocompletion feature in the TeamCity web UI settings to eliminate the surface that leaks credentials.
  • Limit access to the TeamCity web interface to authorized personnel only, using network segmentation or firewall rules to reduce the attacker’s reach to the vulnerable UI.

Generated by OpenCVE AI on May 29, 2026 at 20:05 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Fri, 29 May 2026 20:30:00 +0000

Type Values Removed Values Added
Title TeamCity Parameter Autocompletion Reveals Credentials
First Time appeared Jetbrains
Jetbrains teamcity
Vendors & Products Jetbrains
Jetbrains teamcity
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Fri, 29 May 2026 18:30:00 +0000

Type Values Removed Values Added
Description In JetBrains TeamCity before 2026.1 credentials parameters were exposed via parameter autocompletion
Weaknesses CWE-862
References
Metrics cvssV3_1

{'score': 4.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N'}

Subscriptions

Jetbrains Teamcity
cve-icon MITRE

Status: PUBLISHED

Assigner: JetBrains

Published:

Updated: 2026-05-29T19:29:03.223Z

Reserved: 2026-05-29T18:07:57.737Z

Link: CVE-2026-49378

cve-icon Vulnrichment

Updated: 2026-05-29T19:28:58.128Z

cve-icon NVD

Status : Undergoing Analysis

Published: 2026-05-29T19:16:27.760

Modified: 2026-05-29T20:11:15.977

Link: CVE-2026-49378

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-29T20:15:07Z

Weaknesses