Urgent Security Alert: TeamCity On-Premises Vulnerable to Privilege Escalation
A high-severity post-authentication vulnerability has been discovered in TeamCity On-Premises, affecting all versions through 2025.11.4. Tracked as CVE-2026-44413, the flaw could allow any authenticated user to expose parts of the TeamCity server API to unauthorized users.
"This is a serious issue that requires immediate attention from all TeamCity On-Premises administrators," said a JetBrains spokesperson. "We strongly urge everyone to update to version 2026.1 or apply the security patch plugin as soon as possible."
The vulnerability was reported privately by Martin Orem from binary.house on April 30, 2026, in accordance with JetBrains’ coordinated disclosure policy. TeamCity Cloud environments are not affected and require no action.
Background
TeamCity is a popular continuous integration and delivery server used by development teams worldwide. This is not the first time a privilege escalation issue has surfaced; however, this flaw is particularly alarming because it allows an authenticated user—even a low-privilege one—to access API endpoints meant for administrators.
JetBrains has confirmed that all on-premises installations are at risk until patched. The cloud version operates on a separate infrastructure that was not impacted.
What This Means
If exploited, an attacker with valid credentials could leverage this bug to retrieve sensitive configuration data, manipulate build pipelines, or gain a foothold for further attacks. Any TeamCity server exposed to the internet without the fix is highly vulnerable.
“Attackers actively scan for such flaws, so delaying the update could result in a breach,” warned Sam L., a security researcher familiar with the advisory. “Immediate action is critical.”
Mitigation Options
Option 1: Update to TeamCity 2026.1
Download and install the latest version (2026.1) from JetBrains. You can also use the automatic update feature within TeamCity. This release contains the complete fix for CVE-2026-44413.
Option 2: Apply the Security Patch Plugin
If you cannot upgrade immediately, install the security patch plugin for TeamCity 2017.1 and newer. The plugin addresses only this vulnerability. You can obtain it as follows:
- Manual download: Download the plugin from JetBrains and install it via the Administration interface.
- Automatic updates (TeamCity 2024.03+): The server will notify you of available security patches under Administration | Updates. Apply them from there.
For TeamCity 2017.1 to 2018.1, a server restart is required after plugin installation. From 2018.2 onward, the plugin can be enabled without restarting.
See official plugin installation instructions for full details.
If your server is publicly accessible and you cannot apply either fix, temporarily restrict external access until the patch is applied.