JetBrains TeamCity, Credential Exposure in Thread Names Vulnerability (CVE-2026-49379) (MEDIUM) -DC-Jun2026-99

Listen to this Post

CVE-2026-49379 is a vulnerability in JetBrains TeamCity on‑premises versions prior to 2026.1.
The flaw allows credentials to be unintentionally exposed in thread names, which can be observed in various monitoring tools, thread dumps, and diagnostic logs.

How it works:

TeamCity uses a multi‑threaded architecture to handle builds, version control operations, and administrative tasks. Each thread is assigned a name for debugging and monitoring purposes. In certain scenarios, the software places sensitive information—such as passwords, API tokens, or other authentication secrets—directly into these thread names.
An attacker who has already obtained low‑privileged access to the TeamCity server (e.g., a regular authenticated user or a user who can trigger thread dumps) can retrieve thread names via:
– Thread dump endpoints (e.g., `/admin/dumpThreads.html` or administrative APIs)
– Operating system tools (e.g., `jstack` if the attacker has local shell access)
– Monitoring integrations that log thread details
Once the thread names are collected, the embedded credentials can be extracted. Because thread names are often stored in logs or transmitted over unencrypted channels, this increases the risk of credential leakage beyond the immediate server environment.
The vulnerability has been assigned CWE‑522 (Insufficiently Protected Credentials) and a CVSS v3.1 base score of 6.5 (Medium) with the vector AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N. This reflects that the attack is network‑accessible, requires low privileges, and has high confidentiality impact but no integrity or availability impact.
The issue was addressed in TeamCity 2026.1, released on May 11, 2026.

DailyCVE Form

Platform: JetBrains TeamCity
Version: before 2026.1
Vulnerability : Credentials in thread names
Severity: MEDIUM (6.5)
date: 2026‑05‑29

Prediction: Patch available 2026‑05‑11

What Undercode Say

Analytics & Detection Commands

Check TeamCity version to confirm vulnerability
curl -k https://teamcity.example.com/update/versionInfo.html | grep version
Search for credentials in current thread dump
curl -k -u user:pass https://teamcity.example.com/admin/dumpThreads.html | grep -E "password|token|secret|key"
Extract thread names from TeamCity logs
grep -E "Thread-.password" /var/log/teamcity/teamcity-server.log
Alternative using jstack (requires local access)
jstack $(pgrep -f teamcity) | grep -E "teamcity.(password|token)"
Monitor thread names in real-time
watch -n 5 'curl -s -k -u user:pass https://teamcity.example.com/admin/dumpThreads.html | grep -c "Bearer [a-zA-Z0-9]"'

Sample Python detection script

import requests
import re
def check_thread_credentials(url, session):
dump = session.get(f"{url}/admin/dumpThreads.html", verify=False)
pattern = r'(?i)(password|token|secret|api_key)(=|\s+)([a-zA-Z0-9_-]+)'
matches = re.findall(pattern, dump.text)
if matches:
print(f"[!] Potential credentials in thread names: {matches}")
else:
print("[-] No obvious credentials found in thread names.")
if <strong>name</strong> == "<strong>main</strong>":
s = requests.Session()
s.auth = ('username', 'password')
check_thread_credentials('https://teamcity.example.com', s)

Exploit

An authenticated attacker with low privileges (e.g., a standard build user) can:
1. Call the thread dump endpoint `/admin/dumpThreads.html` (accessible to any authenticated user by default).
2. Parse the thread names looking for strings that match credential patterns:
– `password=secret123`
– `DB_PASSWORD=myPassword`
– `Authorization: Bearer eyJhbGci…`
– `api_key=12345-abcde`
3. Use the extracted credentials to escalate privileges, access other builds, or compromise connected services (e.g., version control systems).
Because the credentials are stored in plain text in thread names, no decryption or sophisticated technique is required.

Protection

  • Upgrade to TeamCity 2026.1 or later.
  • If upgrading is not immediately possible, apply the security patch plugin released by JetBrains for versions 2017.1 and later.
  • Restrict access to thread dump endpoints via reverse proxy rules or firewall policies.
  • Regularly rotate credentials and avoid embedding secrets in configuration files that may be passed to threads.
  • Monitor thread dumps and logs for unexpected credential exposure using the detection commands provided above.

Impact

Confidentiality (High) – Credentials (passwords, tokens, API keys) can be read by any authenticated user, leading to unauthorized access to builds, source repositories, cloud infrastructure, and external services.
Integrity (None) – The vulnerability does not directly allow modification of data.
Availability (None) – The vulnerability does not affect service availability.
Overall Risk – The flaw provides a straightforward avenue for privilege escalation and lateral movement inside a CI/CD environment, potentially compromising the entire software supply chain.

🎯Let’s Practice Exploiting & Learn Patching For Free:

🎓 Live Courses & Certifications:

Join Undercode Academy for Verified Certifications

🚀 Request a Custom Project:

Secure, high-velocity infrastructure and disruptive technological engineering. Contact our engineering team for high-tier development and proprietary systems:
[email protected]
💎 Smart Architecture | 🛡️ Secure by Design | ⭐ Trusted by Thousands

Sources:

Reported By: nvd.nist.gov
Extra Source Hub:
Undercode

🔐JOIN OUR CYBER WORLD [ CVE News • HackMonitor • UndercodeNews ]

💬 Whatsapp | 💬 Telegram

📢 Follow DailyCVE & Stay Tuned:

𝕏 formerly Twitter 🐦 | @ Threads | 🔗 Linkedin Featured Image

Scroll to Top