Skip to content Burger menu icon
Teamcity logo

TeamCity

Powerful CI/CD for DevOps-centric teams

Get TeamCity
News Security

High-Severity Security Issue Affecting TeamCity On-Premises (CVE-2026-44413) – Update to 2026.1 Now

Daniel Gallo
Daniel Gallo

Summary

  • A high-severity post-authentication security vulnerability has been identified in TeamCity On-Premises and assigned the CVE identifier CVE-2026-44413.
  • It may allow any authenticated user to expose some parts of the TeamCity server API to unauthorized users.
  • It affects all TeamCity On-Premises versions through 2025.11.4.
  • The issue has been fixed in version 2026.1.
  • We encourage all users to update their servers to the latest version.
  • For those who are unable to do so, we have released a security patch plugin.
  • TeamCity Cloud is not affected and requires no action.

Details

A high-severity post-authentication security vulnerability has been identified in TeamCity On-Premises. If exploited, this flaw may allow any authenticated user to expose some parts of the TeamCity server API to unauthorized users.

All versions of TeamCity On-Premises are affected, while TeamCity Cloud is not affected and requires no action. We have verified that TeamCity Cloud environments were not impacted by this issue.

This post-authentication privilege escalation vulnerability was reported to us privately on April 30, 2026, by Martin Orem (binary.house) in accordance with our coordinated disclosure policy. It has been assigned the Common Vulnerabilities and Exposures (CVE) identifier CVE-2026-44413.

A fix for the issue has been introduced in version 2026.1. We have also released a security patch plugin for 2017.1+ so that customers who are unable to upgrade can still patch their environments.

If your TeamCity server is publicly accessible over the internet and you are unable to apply one of the mitigation options described below, we strongly recommend temporarily restricting external access until you have done so.

Mitigation option 1: Update your server to 2026.1

To update your TeamCity server, download and install the latest version (2026.1) or use the automatic update option within TeamCity. This version includes a fix for the vulnerability described above.

Mitigation option 2: Apply the security patch plugin

If you are unable to update your server to version 2026.1, we have also released a security patch plugin that can be installed on TeamCity 2017.1+ and will patch the specific vulnerability described above.

You can acquire it in the following ways:

  • Download and install it manually.
  • For TeamCity 2024.03 and newer, TeamCity automatically downloads available security patch plugins and notifies administrators (if notifications are configured). You can review and apply pending security patches from Administration | Updates, under Available security updates.

For TeamCity 2017.1 to 2018.1, a server restart is required after the plugin is installed. Starting from TeamCity 2018.2, you can enable it without restarting the TeamCity server.

See the TeamCity plugin installation instructions for more information.

Important: The security patch plugin will only address the vulnerability described above. We always recommend upgrading your server to the latest version to benefit from many other security updates.

Best practices

As a longer-term security best practice for internet-facing TeamCity servers (that is, servers accessible to external users who can reach the TeamCity login screen), consider requiring connections through a VPN or implementing an additional security layer to help prevent unauthorized access. Even exposing the TeamCity login screen or REST API can provide potential entry points for attackers to exploit newly disclosed vulnerabilities.

Technical details

This vulnerability affects all TeamCity installations where the firewall permits inbound connections on ports other than the standard HTTP/HTTPS one used by TeamCity, or where build agents are running on the same host as the TeamCity server.

Exploitation of this vulnerability requires access to a TeamCity account, including a standard user account or the guest user account (if guest access is enabled). If exploited, it could allow an authenticated user to expose some parts of the TeamCity server API to unauthorized access.

As a general best practice, we strongly recommend restricting inbound network access to only required ports.

TeamCity servers should also run on dedicated hosts separate from build agents, as described in our documentation.

Support

If you have any questions regarding this issue or encounter problems upgrading, please get in touch with the TeamCity Support team by submitting a ticket.

News security
Prev post [Livestream] TeamCity 2026.1: AI, Pipelines, and Enterprise CI/CD Improvements

Discover more

What Are The Security Risks of CI/CD Plugin Architectures?

Why do attackers often go after plugin ecosystems that power many CI/CD platforms? Learn from this blog post.

Olga Bedrina
Olga Bedrina

TeamCity Pipelines Is Now Part of TeamCity Enterprise

We introduced TeamCity Pipelines in March 2024 to make CI/CD setup simpler and more intuitive, without limiting what teams can build and automate. Pipelines brought a new workflow focused on a more guided configuration experience, including a visual editor with drag-and-drop dependencies, YAML for d…

Dmitrii Korovin
Dmitrii Korovin

Introducing the TeamCity Operator for Kubernetes

Running TeamCity in Kubernetes has always been possible, but it often required knowing your way around both systems pretty well. TeamCity is flexible and easy to tune, and Kubernetes provides excellent tools for running applications at scale. However, bringing the two together smoothly wasn’t alw…

Dmitrii Korovin
Dmitrii Korovin

Updates to TeamCity On-Premises Renewal Pricing

We’re updating our renewal pricing and grace period policies, effective November 3, 2025.

Daniel Gallo
Daniel Gallo