CVE-2026-28195
📋 TL;DR
This CVE describes a missing authorization vulnerability in JetBrains TeamCity where project developers can add parameters to build configurations without proper permission checks. This affects TeamCity instances where project developers have access to modify build configurations but should be restricted from adding certain parameters. The vulnerability allows unauthorized parameter injection into build processes.
💻 Affected Systems
- JetBrains TeamCity
📦 What is this software?
Teamcity by Jetbrains
⚠️ Risk & Real-World Impact
Worst Case
Attackers could inject malicious parameters that execute arbitrary code during builds, potentially compromising the build server and downstream systems.
Likely Case
Unauthorized users add parameters that alter build behavior, potentially introducing vulnerabilities into software artifacts or causing build failures.
If Mitigated
With proper access controls and monitoring, impact is limited to unauthorized parameter changes that can be detected and rolled back.
🎯 Exploit Status
Requires authenticated access as a project developer; exploitation involves using the TeamCity interface to add unauthorized parameters.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 2025.11.3 or later
Vendor Advisory: https://www.jetbrains.com/privacy-security/issues-fixed/
Restart Required: Yes
Instructions:
1. Backup TeamCity configuration and data. 2. Download TeamCity 2025.11.3 or later from JetBrains website. 3. Stop TeamCity service. 4. Install the updated version following JetBrains upgrade guide. 5. Restart TeamCity service. 6. Verify functionality.
🔧 Temporary Workarounds
Restrict Parameter Permissions
allConfigure TeamCity to restrict which users can add parameters to build configurations
Use TeamCity administration interface: Project Settings > Build Configuration Settings > Parameters > Configure permissions
Audit Build Parameters
allRegularly review and audit build configuration parameters for unauthorized changes
Use TeamCity audit logs or API to monitor parameter changes
🧯 If You Can't Patch
- Implement strict access controls to limit who can modify build configurations
- Enable comprehensive logging and monitoring of all parameter changes to build configurations
🔍 How to Verify
Check if Vulnerable:
Check TeamCity version via Administration > Server Administration > Server Health > Version InformationCheck Version:
Check TeamCity web interface or server logs for version informationVerify Fix Applied:
Verify version is 2025.11.3 or later and test that project developers cannot add unauthorized parameters📡 Detection & Monitoring
Log Indicators:
- Unauthorized parameter additions in TeamCity audit logs
- Unexpected parameter values in build logs
Network Indicators:
- Unusual API calls to modify build configurations
SIEM Query:
source="teamcity" AND (event_type="parameter_change" OR action="add_parameter") AND user_role="project_developer"