CVE-2026-59793

JetBrains · TeamCity

JetBrains TeamCity contains a vulnerability related to external control of file name or path, impacting versions prior to 2026.1.2.

Executive summary

A high-severity vulnerability in JetBrains TeamCity allows authenticated attackers to potentially compromise the integrity or confidentiality of the build server.

Vulnerability

The vulnerability is classified as CWE-73 (External Control of File Name or Path), which may allow an authenticated attacker to manipulate file paths. This often leads to unauthorized file access or modification within the TeamCity environment.

Business impact

With a CVSS score of 8.8, this flaw represents a significant risk to the CI/CD pipeline. Unauthorized access to build configurations, source code, or deployment artifacts can lead to supply chain compromise, where an attacker could inject malicious code into production software builds.

Remediation

Immediate Action: Update all JetBrains TeamCity instances to version 2026.1.2 or later to mitigate the path manipulation vulnerability.

Proactive Monitoring: Monitor access logs for anomalous file path requests or attempts to access configuration directories outside of standard user scope.

Compensating Controls: Restrict access to the TeamCity administrative interface to trusted internal networks and employ WAF rules to detect directory traversal attempts.

Exploitation status

Public Exploit Available: false

Analyst recommendation

Given TeamCity's central role in the software development lifecycle, this vulnerability must be treated with high priority. Organizations should verify their current deployment version and apply the update to 2026.1.2 immediately to prevent potential pipeline contamination.