JetBrains TeamCity CVE-2026-44413: Authenticated Exposure of Server API

/HIGH /CVSS 8.2/10
Written by SCW Vulnerability Desk Vulnerability Intelligence
SCW vulnerabilitycvehigh-severitycwe-306
JetBrains TeamCity CVE-2026-44413: Authenticated Exposure of Server API

The National Vulnerability Database has issued an advisory for CVE-2026-44413, a high-severity vulnerability affecting JetBrains TeamCity versions prior to 2026.1 and 2025.11.5. This flaw, rated 8.2 CVSS, allows authenticated users to expose the server API to unauthorized access.

This isn’t a zero-day requiring remote code execution, but it’s dangerous for CI/CD pipelines. An attacker with even low-level authenticated access can leverage this to escalate privileges or exfiltrate sensitive data by exposing internal APIs. The CVSS vector AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N indicates network-based exploitability and high confidentiality impact, meaning critical data could be compromised.

CISOs need to understand the attacker’s calculus here: TeamCity instances are often treasure troves of build secrets, source code, and deployment credentials. Exposing the API provides a direct pathway for an insider threat or an external attacker who has already gained initial access to move laterally and deepen their foothold, potentially leading to a full supply chain compromise.

What This Means For You

  • If your organization uses JetBrains TeamCity, you must immediately verify your version. Patching to a secure version (2026.1 or 2025.11.5 or newer) is critical. Beyond patching, audit your TeamCity user permissions and API access logs for any suspicious activity or unauthorized API calls, especially from accounts with low privileges. This isn't just about patching; it's about controlling who can even see your API endpoints.

Related ATT&CK Techniques

T1190 Exploit Public-Facing Application Initial Access

🛡️ Detection Rules

3 rules · 6 SIEM formats

3 detection rules auto-generated for this incident, mapped to MITRE ATT&CK. Sigma YAML is free — export to any SIEM format via the Intel Bot.

high T1190 Initial Access

JetBrains TeamCity Authenticated API Exposure - Free Tier

Sigma YAML — free preview 
title: JetBrains TeamCity Authenticated API Exposure - Free Tier
id: scw-2026-05-11-ai-1
status: experimental
level: high
description: |
  Detects an authenticated user accessing the TeamCity server API endpoint '/app/rest/server' via a GET request. This is a specific indicator for CVE-2026-44413, where authenticated users can expose server API details to unauthorized access, potentially leading to further compromise.
author: SCW Feed Engine (AI-generated)
date: 2026-05-11
references:
  - https://shimiscyberworld.com/posts/nvd-CVE-2026-44413/
tags:
  - attack.initial_access
  - attack.t1190
logsource:
    category: webserver
detection:
  selection:
      cs-uri|contains:
          - '/app/rest/server'
      cs-method:
          - 'GET'
      sc-status:
          - '200'
  condition: selection
falsepositives:
  - Legitimate administrative activity

Source: Shimi's Cyber World · License & reuse

✓ Sigma · Splunk SPL Sentinel KQL Elastic QRadar AQL Wazuh Get rules for your SIEM →

Indicators of Compromise

IDTypeIndicator
CVE-2026-44413 Auth Bypass JetBrains TeamCity before 2026.1 2025.11.5
CVE-2026-44413 Information Disclosure expose server API to unauthorised access

Written by SCW Vulnerability Desk

Source & Attribution
Source PlatformNVD
ChannelNational Vulnerability Database
PublishedMay 11, 2026 at 21:16 UTC

This content was AI-rewritten and enriched by Shimi's Cyber World based on the original source. All intellectual property rights remain with the original author.

Believe this infringes your rights? Submit a takedown request.

Related coverage

CVE-2026-8321: Inkeep Agents Authentication Bypass Vulnerability

CVE-2026-8321 — A vulnerability was detected in inkeep agents 0.58.14. This vulnerability affects the function createDevContext of the file agents-api/src/middleware/runAuth.ts of the component runAuth Middleware....

vulnerabilityCVEhigh-severityauthentication-bypasscwe-287cwe-288
/SCW Vulnerability Desk /HIGH /7.3 /⚑ 3 IOCs /⚙ 3 Sigma

CVE-2026-8320 — Jishenghua JshERP Server-Side Request Forgery

CVE-2026-8320 — A security vulnerability has been detected in jishenghua jshERP up to 3.6. This affects the function getUserByWeixinCode of the file jshERP-boot/src/main/java/com/jsh/erp/service/UserService.java of the...

vulnerabilityCVEmedium-severityserver-side-request-forgerycwe-918
/SCW Vulnerability Desk /MEDIUM /4.7 /⚑ 2 IOCs /⚙ 3 Sigma

CVE-2026-8319 — A weakness has been identified in aiwaves-cn agents up to

CVE-2026-8319 — A weakness has been identified in aiwaves-cn agents up to e8c4e3c2d19739d3dff59e577d1c97090cc15f59. Affected by this issue is the function recall_relevant_memories_to_working_memory of the file core/cat/looking_glass/stray_cat.py...

vulnerabilityCVEmedium-severitycwe-400cwe-404
/SCW Vulnerability Desk /MEDIUM /5.3 /⚑ 3 IOCs /⚙ 2 Sigma