Critical Privilege Escalation Flaw Found in TeamCity On-Premises – Urgent Update to 2026.1 Required
Breaking: High-Severity Vulnerability Exposes TeamCity API to Unauthorized Users
A high-severity post-authentication security vulnerability has been discovered in TeamCity On-Premises. Tracked as CVE-2026-44413, the flaw allows any authenticated user to expose parts of the TeamCity server API to unauthorized users.
All on-premises versions through 2025.11.4 are affected. The fix has been included in the newly released TeamCity 2026.1. A security patch plugin is also available for organizations unable to upgrade immediately.
“This vulnerability could let an attacker with valid credentials access internal API endpoints that should be restricted, potentially leading to data exposure or further compromise,” said Martin Orem of binary.house, who privately reported the issue to JetBrains on April 30, 2026.
Immediate Action Recommended for On-Premises Users
JetBrains urges all customers to update their TeamCity servers to version 2026.1 as soon as possible. For those on TeamCity 2017.1+ who cannot upgrade, JetBrains has released a security patch plugin to mitigate the vulnerability.
TeamCity Cloud is not affected and no action is required for cloud customers.
Background
TeamCity is a widely used continuous integration and delivery (CI/CD) server from JetBrains. The on-premises version is deployed in many enterprise environments to automate builds, tests, and deployments.
The vulnerability was reported under JetBrains’ coordinated disclosure policy. It has received a high CVSS severity rating, though JetBrains has not yet published the exact score. The flaw does not affect cloud instances because of architectural differences in how API access is controlled.
What This Means
Organizations running TeamCity On-Premises with internet-accessible servers are at greatest risk. An authenticated user—possibly with low-level privileges—could expose sensitive API endpoints, potentially leaking configuration data, credentials, or enabling lateral movement within the CI/CD pipeline.
“If your TeamCity server is publicly accessible and you cannot apply either the upgrade or the patch plugin immediately, we strongly recommend temporarily restricting external access until mitigation is complete,” a JetBrains spokesperson said.
Mitigation Options
- Option 1: Update to TeamCity 2026.1 – Download and install the latest version. The automatic update feature within TeamCity also delivers the fix.
- Option 2: Apply the security patch plugin – Available for TeamCity 2017.1 and newer. It patches this specific vulnerability without requiring a full upgrade.
Option 1: Update Directly
Download TeamCity 2026.1 from the official website. For existing servers, use the automatic update option in the Administration section. A restart will be required. This version includes the permanent fix.
Option 2: Security Patch Plugin
The security patch plugin can be downloaded and installed manually. For TeamCity 2024.03 and newer, the server automatically detects available security patches and notifies administrators via Administration | Updates, under “Available security updates.”
Note: For TeamCity versions 2017.1 to 2018.1, a server restart is mandatory after plugin installation. Starting with 2018.2, the plugin can be enabled without restarting.
The patch plugin only addresses CVE-2026-44413. It does not protect against other vulnerabilities. Full instructions are available in the TeamCity plugin installation documentation.
Vulnerability Timeline
- April 30, 2026 – Vulnerability reported privately by Martin Orem.
- May 2026 – JetBrains confirms and develops fix.
- June 2026 – CVE-2026-44413 assigned; update 2026.1 and patch plugin released.
Conclusion
All on-premises administrators should act promptly. Delaying the update increases the risk of a post-authentication API exposure attack. JetBrains reminds users that even though the vulnerability requires authentication, a determined attacker with low-level access could exploit it to escalate privileges or exfiltrate data.