CVE-2026-44413

JetBrains · TeamCity

JetBrains TeamCity contains a vulnerability related to missing authentication, potentially allowing unauthorized access to system functions.

Executive summary

A critical authentication-related vulnerability in JetBrains TeamCity versions prior to 2026.1 and 2025.11.5 exposes the platform to potential unauthorized access.

Vulnerability

The vulnerability is identified as CWE-306 (Missing Authentication for Critical Function). An unauthenticated attacker can exploit this flaw to interact with sensitive endpoints, leading to unauthorized information disclosure or potential configuration changes.

Business impact

Successful exploitation allows unauthorized parties to gain access to sensitive build artifacts, source code, or internal configuration details, which could facilitate further attacks against the development pipeline. With a CVSS score of 8.2, this vulnerability is a high-priority risk that threatens the security of the entire software supply chain managed by TeamCity.

Remediation

Immediate Action: Update TeamCity installations to version 2026.1 or the relevant patched release (2025.11.5) immediately.

Proactive Monitoring: Review TeamCity audit logs for anomalous access patterns or unauthorized API requests originating from untrusted network segments.

Compensating Controls: Restrict access to the TeamCity interface via VPN or IP-allowlisting at the network level until the update is applied.

Exploitation status

Public Exploit Available: No (No confirmed public exploit available).

Analyst recommendation

This vulnerability represents a significant security gap in the CI/CD pipeline. Organizations should apply the recommended updates immediately to prevent unauthorized access to build environments and sensitive project data.