CVE-2026-59793
JetBrains · TeamCity
JetBrains TeamCity contains a vulnerability related to external control of file name or path, impacting versions prior to 2026.1.2.
Executive summary
A high-severity vulnerability in JetBrains TeamCity allows authenticated attackers to potentially compromise the integrity or confidentiality of the build server.
Vulnerability
The vulnerability is classified as CWE-73 (External Control of File Name or Path), which may allow an authenticated attacker to manipulate file paths. This often leads to unauthorized file access or modification within the TeamCity environment.
Business impact
With a CVSS score of 8.8, this flaw represents a significant risk to the CI/CD pipeline. Unauthorized access to build configurations, source code, or deployment artifacts can lead to supply chain compromise, where an attacker could inject malicious code into production software builds.
Remediation
Immediate Action: Update all JetBrains TeamCity instances to version 2026.1.2 or later to mitigate the path manipulation vulnerability.
Proactive Monitoring: Monitor access logs for anomalous file path requests or attempts to access configuration directories outside of standard user scope.
Compensating Controls: Restrict access to the TeamCity administrative interface to trusted internal networks and employ WAF rules to detect directory traversal attempts.
Exploitation status
Public Exploit Available: false
Analyst recommendation
Given TeamCity's central role in the software development lifecycle, this vulnerability must be treated with high priority. Organizations should verify their current deployment version and apply the update to 2026.1.2 immediately to prevent potential pipeline contamination.