TeamCity On-Premises Users Urged to Patch Critical Privilege Escalation Flaw — Update to 2026.1 Immediately
URGENT: A high-severity post-authentication vulnerability, CVE-2026-44413, has been discovered in all versions of TeamCity On-Premises through 2025.11.4. The flaw allows any authenticated user to expose parts of the TeamCity server API to unauthorized users, potentially leading to unintended data access or further compromise.
JetBrains has released version 2026.1 with a fix and a security patch plugin for older builds. TeamCity Cloud customers are not affected and need take no action.
“This privilege escalation issue was reported privately on April 30, 2026, by security researcher Martin Orem (binary.house) under our coordinated disclosure policy,” a JetBrains spokesperson confirmed. “We thank him for his responsible reporting and have moved quickly to address the risk.”
Background
TeamCity is a widely used continuous integration and delivery server from JetBrains. The on-premises deployment grants organizations full control, but also makes them responsible for patching.
The flaw (CVE-2026-44413) is classified as high severity because it enables any authenticated user, even low‑privileged ones, to leak API endpoints meant to be restricted. Attackers could then chain this with other exploits or gather intelligence for follow‑up attacks.
All versions from early releases up to 2025.11.4 are vulnerable. JetBrains verified that cloud instances were never at risk due to architectural isolation and automatic patching.
What This Means
Organizations running TeamCity On-Premises must act now. The vulnerability is exploitable post‑authentication, meaning anyone who can log in — including contractors or limited accounts — could abuse it. Exposed API surfaces may reveal sensitive build configurations, environment variables, or authentication tokens.
“If you have a public‑facing TeamCity server and cannot patch immediately, restrict external access until you can apply the fix,” the spokesperson added. A temporary firewall rule or VPN requirement can reduce the attack surface.
Mitigation Option 1: Update to TeamCity 2026.1
JetBrains recommends upgrading to the latest version (2026.1) as the primary fix. Administrators can download the installer or use the automatic update feature within the TeamCity admin console.
This version contains the complete patch for CVE-2026-44413 and restores proper access controls. No additional steps are required beyond the normal upgrade procedure.
Mitigation Option 2: Apply the Security Patch Plugin
For organizations that cannot upgrade immediately, JetBrains has released a security patch plugin compatible with TeamCity 2017.1 and newer. The plugin only addresses the specific vulnerability; all other features remain unchanged.
Ways to obtain it:
- Manual download from the JetBrains marketplace and installation via the plugin administrator page.
- TeamCity 2024.03+ can automatically download available security patches. Administrators see them under Administration | Updates under Available security updates.
On TeamCity 2017.1 to 2018.1, the plugin requires a server restart. For TeamCity 2018.2 and later, it can be enabled without restart.
Important: The patch plugin only fixes this one issue. JetBrains still encourages planning a full upgrade to 2026.1 to protect against future vulnerabilities.
Additional Guidance
If your TeamCity instance is accessible from the internet and you cannot apply either mitigation, temporarily block external access. Use network controls or reverse proxy rules to allow only trusted IP ranges.
For step‑by‑step instructions on plugin installation, refer to the official TeamCity plugin guide (external).
JetBrains has not observed active exploitation of CVE-2026-44413 in the wild, but given the ease of exploitation post‑authentication, immediate patching is strongly advised.