CVE-2026-49372
Received
Received - Intake
Unauthenticated SSRF in JetBrains TeamCity
Publication date: 2026-05-29
Last updated on: 2026-05-29
Assigner: JetBrains s.r.o.
Description
Description
In JetBrains TeamCity before 2026.1,
2025.11.5 unauthenticated SSRF via build status was possible
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| jetbrains | teamcity | to 2026.1 (exc) |
Helpful Resources
Exploitability
CWE
KEV
| CWE ID | Description |
|---|---|
| CWE-918 | The web server receives a URL or similar request from an upstream component and retrieves the contents of this URL, but it does not sufficiently ensure that the request is being sent to the expected destination. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability is an unauthenticated Server-Side Request Forgery (SSRF) in JetBrains TeamCity versions before 2026.1. It occurs via the build status feature, allowing an attacker to make the server perform unauthorized requests.
How can this vulnerability impact me? :
The vulnerability can impact you by allowing an unauthenticated attacker to make the TeamCity server send requests to internal or external systems. This can lead to unauthorized access to sensitive information or internal services, as indicated by the high confidentiality impact in the CVSS score.
Ask Our AI Assistant
Need more information? Ask your question to get an AI reply (Powered by our expertise)
0/70