What Happened
JetBrains disclosed CVE-2026-44413, a high-severity vulnerability in TeamCity On-Premises versions 2025.11.4 and earlier. This flaw enables privilege escalation and may expose sensitive API data. Security researcher Martin Orem reported the vulnerability. JetBrains released patches and urged immediate upgrades.
The vulnerability affects your CI/CD control plane—the system orchestrating your software delivery pipeline. If an attacker escalates privileges in TeamCity, they gain access to build configurations, deployment credentials, source code repositories, and API tokens for downstream systems.
Timeline
Discovery Phase:
- Martin Orem identified the vulnerability during security research.
- JetBrains received the report and began patch development.
- Testing confirmed privilege escalation and API exposure risks.
Disclosure Phase:
- JetBrains released security patches for affected versions.
- CVE-2026-44413 was assigned a high-severity rating.
- A public advisory was issued with upgrade recommendations.
Response Window: Organizations running TeamCity On-Premises 2025.11.4 or earlier must decide: upgrade immediately or apply the security patch. Delays expand the attack surface.
Which Controls Failed or Were Missing
Access Control Boundaries
The vulnerability shows a failure in privilege separation. TeamCity should enforce strict boundaries between user roles such as agents, project administrators, and system administrators. When privilege escalation is possible, these boundaries collapse.
Your CI/CD system holds credentials for production deployments, cloud provider APIs, artifact repositories, and container registries. A privilege escalation bug turns a low-privilege account into a master key.
API Security Controls
The potential for API data exposure suggests missing or insufficient API authentication checks. APIs in CI/CD tools carry build parameters, environment variables, and integration tokens. If these APIs leak data due to privilege escalation, you've lost control of your secrets distribution.
Network Segmentation
This vulnerability highlights why CI/CD tools should not be internet-facing. TeamCity instances exposed to the public internet give attackers direct access to test for privilege escalation. Even with the patch applied, you've unnecessarily expanded your attack surface.
Credential Rotation Mechanisms
Organizations without automated credential rotation face extended exposure. If an attacker escalated privileges and extracted API tokens before you patched, those tokens remain valid until you rotate them. Without rotation automation, you're manually hunting through dozens of integrations.
What the Relevant Standards Require
PCI DSS v4.0.1
Requirement 6.3.2 mandates that security vulnerabilities are identified and addressed based on risk ranking. High-severity vulnerabilities in systems that process, store, or transmit cardholder data require immediate action.
Requirement 6.4.3 requires that security patches are installed within one month of release for critical systems. If your TeamCity instance touches payment processing workflows, you're on the clock.
Requirement 7.2.1 specifies that access control systems must assign privileges based on job classification and function. Privilege escalation vulnerabilities directly violate this requirement.
NIST 800-53 Rev 5
AC-6 (Least Privilege) requires that users and processes operate with the minimum privileges necessary. A privilege escalation bug indicates your enforcement mechanism is broken.
SI-2 (Flaw Remediation) mandates that you install security-relevant software updates within organization-defined time periods. For high-severity vulnerabilities in critical infrastructure, that period should be days, not weeks.
CM-7 (Least Functionality) requires that you disable unnecessary APIs and services. If TeamCity APIs expose sensitive data during privilege escalation, audit which APIs need to be enabled.
ISO/IEC 27001:2022
Control 8.8 (Management of Technical Vulnerabilities) requires timely information about technical vulnerabilities and evaluation of exposure. You need a process that flags TeamCity security advisories the day they're published.
Control 5.15 (Access Control) mandates that access rights are provisioned according to policy. When privilege escalation is possible, your access control implementation has failed.
Lessons and Action Items for Your Team
Immediate Actions
Patch within 48 hours. High-severity vulnerabilities in CI/CD tools cannot wait for your monthly patching cycle. If you can't upgrade TeamCity immediately, apply the security patch JetBrains provided.
Rotate all credentials. Assume breach until you've patched. Rotate API tokens for cloud providers, artifact repositories, container registries, and any external service TeamCity integrates with. If you extracted credentials from TeamCity's database or configuration files, rotate those too.
Audit access logs. Check TeamCity's authentication and authorization logs for anomalous privilege changes or API access patterns. Look for user accounts that suddenly gained administrative rights or accessed APIs outside their normal usage pattern.
Network Configuration
Remove internet exposure. Your TeamCity instance should sit behind a VPN or zero-trust network access solution. Build agents connect outbound; administrators connect through authenticated tunnels. There is no legitimate reason for TeamCity's web interface to accept connections from the public internet.
Segment your CI/CD network. Place TeamCity in a dedicated VLAN with strict firewall rules. Build agents should reach TeamCity, but TeamCity should not have unrestricted access to your production environment. Use service accounts with scoped credentials for deployments.
Credential Management
Implement automated rotation. Manual credential rotation doesn't scale. Use tools like HashiCorp Vault, AWS Secrets Manager, or Azure Key Vault to generate short-lived credentials for builds. When a vulnerability forces emergency rotation, you run a script instead of updating numerous configuration files.
Eliminate long-lived tokens. If your build configurations reference API tokens that never expire, you've created permanent exposure. Switch to dynamic credentials that TeamCity requests per-build and that expire within hours.
Audit secrets in build logs. Privilege escalation often leads to secrets extraction. Review your build logs for accidentally printed credentials. Configure TeamCity's password parameters feature to mask sensitive values.
Vulnerability Management Process
Subscribe to vendor advisories. You should have received the TeamCity security advisory the same day JetBrains published it. If you didn't, fix your alert routing. Critical infrastructure vendors' security lists are not optional.
Define patching SLAs by system criticality. Your CI/CD pipeline is critical infrastructure. It touches every application you ship. High-severity vulnerabilities in TeamCity warrant the same urgency as vulnerabilities in your authentication system or payment processor.
Test patches in staging. You need a staging TeamCity instance that mirrors production. Test the patch there first, but don't let testing delay production patching by more than 24 hours for high-severity issues.
Document your CI/CD threat model. What happens if an attacker gains admin access to TeamCity? Map the blast radius: which credentials they'd access, which systems they could pivot to, which code they could inject into builds. This threat model drives your patching urgency and network segmentation decisions.
Privilege escalation in your CI/CD system is not just another vulnerability. It's a potential supply chain compromise. Patch immediately, rotate credentials, and fix the network exposure that made this vulnerability accessible in the first place.
