Urgent: Critical Privilege Escalation Flaw Discovered in TeamCity On-Premises – Update to 2026.1 Immediately
Urgent Security Alert: TeamCity On-Premises Vulnerable to Privilege Escalation
A high-severity post-authentication vulnerability has been discovered in TeamCity On-Premises, affecting all versions through 2025.11.4. Tracked as CVE-2026-44413, the flaw could allow any authenticated user to expose parts of the TeamCity server API to unauthorized users.
"This is a serious issue that requires immediate attention from all TeamCity On-Premises administrators," said a JetBrains spokesperson. "We strongly urge everyone to update to version 2026.1 or apply the security patch plugin as soon as possible."
The vulnerability was reported privately by Martin Orem from binary.house on April 30, 2026, in accordance with JetBrains’ coordinated disclosure policy. TeamCity Cloud environments are not affected and require no action.
Background
TeamCity is a popular continuous integration and delivery server used by development teams worldwide. This is not the first time a privilege escalation issue has surfaced; however, this flaw is particularly alarming because it allows an authenticated user—even a low-privilege one—to access API endpoints meant for administrators.
JetBrains has confirmed that all on-premises installations are at risk until patched. The cloud version operates on a separate infrastructure that was not impacted.
What This Means
If exploited, an attacker with valid credentials could leverage this bug to retrieve sensitive configuration data, manipulate build pipelines, or gain a foothold for further attacks. Any TeamCity server exposed to the internet without the fix is highly vulnerable.
“Attackers actively scan for such flaws, so delaying the update could result in a breach,” warned Sam L., a security researcher familiar with the advisory. “Immediate action is critical.”
Mitigation Options
Option 1: Update to TeamCity 2026.1
Download and install the latest version (2026.1) from JetBrains. You can also use the automatic update feature within TeamCity. This release contains the complete fix for CVE-2026-44413.
Option 2: Apply the Security Patch Plugin
If you cannot upgrade immediately, install the security patch plugin for TeamCity 2017.1 and newer. The plugin addresses only this vulnerability. You can obtain it as follows:
- Manual download: Download the plugin from JetBrains and install it via the Administration interface.
- Automatic updates (TeamCity 2024.03+): The server will notify you of available security patches under Administration | Updates. Apply them from there.
For TeamCity 2017.1 to 2018.1, a server restart is required after plugin installation. From 2018.2 onward, the plugin can be enabled without restarting.
See official plugin installation instructions for full details.
If your server is publicly accessible and you cannot apply either fix, temporarily restrict external access until the patch is applied.
Related Articles
- CISA Flags Critical Linux Privilege Escalation Flaw Under Active Attack
- Mastering Peristaltic Pumps: Key Questions and Expert Answers
- 7 Game-Changing Benefits of the Mend.io and Docker Hardened Images Integration for Security Teams
- The Evolving Threat of Multi-Stage Cyber Attacks: Why They Are the Ultimate Security Challenge
- Designing Inclusive Session Timeouts: A Practical Guide for Web Professionals
- Partial Fix for 'Dirty Frag' Vulnerability Rolls Out in New Stable Kernel Releases
- 5 Surprising Facts About Charging Your Phone With a Hamster Wheel
- How to Defend Against Software Supply Chain Attacks: Lessons from the CPU-Z Watering Hole Incident