JetBrains TeamCity, Open Redirect, CVE-2026-49380 (Medium) -DC-Jun2026-97

Listen to this Post

Intro – How CVE-2026-49380 works

The vulnerability resides in the SAML authentication plugin bundled with JetBrains TeamCity. In affected versions before 2026.1, the plugin fails to properly validate the `RelayState` parameter during the SAML Single Sign‑On (SSO) handshake.
When a user initiates SAML login, TeamCity generates an authentication request and includes a `RelayState` value that indicates where to redirect the user after successful authentication. In a secure implementation, this value should be strictly validated against a whitelist of allowed callback URLs.
However, in TeamCity versions prior to 2026.1, the SAML plugin does not enforce such validation. An attacker can craft a malicious SAML authentication request containing an arbitrary `RelayState` pointing to an external domain under their control. When the victim clicks the attacker’s specially crafted login link, TeamCity forwards the request to the configured Identity Provider (IdP). After the IdP authenticates the user (or even if the user cancels the login), TeamCity reads the unsanitized `RelayState` from the SAML response and redirects the victim’s browser to the attacker‑specified URL.
Because the redirect occurs within a legitimate TeamCity authentication flow, the victim trusts the destination. This open redirect can be exploited in phishing campaigns: the attacker can forge a link that appears to point to a trusted TeamCity instance but in reality redirects to a malicious site designed to harvest credentials or deliver malware. The issue is classified as CWE‑601 (URL Redirection to Untrusted Site).
The NIST CVSS score is 6.1 (Medium) with the vector AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N. JetBrains rates it as Low due to the need for user interaction, but the potential for phishing and credential theft elevates its risk in real‑world scenarios. The flaw was fixed in TeamCity version 2026.1 (released 11 May 2026) and is tracked under the internal issue TW-98900.

DailyCVE Form:

Platform: JetBrains TeamCity
Version: before 2026.1
Vulnerability: Open Redirect
Severity: Medium (6.1)
date: 2026-06-02

Prediction: 2026-05-11

What Undercode Say – Analytics

Check currently installed TeamCity version via REST API (authenticated request)
curl -u "username:password" "https://teamcity.example.com/app/rest/server"
Simulate an open redirect attempt on a vulnerable TeamCity instance
Replace "teamcity.example.com" and "evil.com" accordingly
curl -i "https://teamcity.example.com/app/saml/login?RelayState=https://evil.com/malicious"

Exploit

  1. Attacker crafts a SAML login URL that includes a malicious `RelayState` parameter:
    `https://teamcity.example.com/app/saml/login?RelayState=https://attacker.com/phish`
  2. The victim clicks the link and is redirected to the legitimate TeamCity login page.
  3. After authenticating (or cancelling), TeamCity processes the SAML response and reads the unsanitized RelayState.
  4. The victim’s browser is instantly redirected to `https://attacker.com/phish`, which can display a fake login form or download malware.

Protection

  • Upgrade to TeamCity 2026.1 or later (the fix is included in the official release).
  • If immediate upgrade is not possible, apply the security patch plugin released by JetBrains for versions 2017.1 and later.
  • Enable SAML Strict Mode in the authentication module to enforce callback URL validation (mitigation, but not a complete fix for this issue).

Impact

  • Phishing attacks: Attackers can create trusted‑looking links to TeamCity that silently redirect victims to fraudulent sites.
  • Credential theft: Redirected users may be tricked into entering their corporate credentials on a malicious page.
  • Reputational damage: A successful exploit can undermine trust in the TeamCity instance and the organisation’s security posture.

🎯Let’s Practice Exploiting & Learn Patching For Free:

🎓 Live Courses & Certifications:

Join Undercode Academy for Verified Certifications

🚀 Request a Custom Project:

Secure, high-velocity infrastructure and disruptive technological engineering. Contact our engineering team for high-tier development and proprietary systems:
[email protected]
💎 Smart Architecture | 🛡️ Secure by Design | ⭐ Trusted by Thousands

Sources:

Reported By: nvd.nist.gov
Extra Source Hub:
Undercode

🔐JOIN OUR CYBER WORLD [ CVE News • HackMonitor • UndercodeNews ]

💬 Whatsapp | 💬 Telegram

📢 Follow DailyCVE & Stay Tuned:

𝕏 formerly Twitter 🐦 | @ Threads | 🔗 Linkedin Featured Image

Scroll to Top