CVE-2026-49376EXPLOITEDPATCHED

jetbrains · teamcity

CVE-2026-49376: In JetBrains TeamCity before 2026.1 insufficient username validation in the SAML plugin

Description

In JetBrains TeamCity before 2026.1 insufficient username validation in the SAML plugin

Affected Products

Vendor	Product	Versions
jetbrains	teamcity	0

Also Affects

Downstream vendors/products affected by this vulnerability

Vendor	Product	Source	Confidence
jetbrains	teamcity	cert_advisory	90%

References

https://www.jetbrains.com/privacy-security/issues-fixed/

Related News (2 articles)

Tier B

BSI Advisories16d ago

[NEU] [mittel] JetBrains TeamCity: Mehrere Schwachstellen

→ No new info (linked only)

Tier C

VulDB19d ago

CVE-2026-49376 | JetBrains TeamCity up to 2026.0 authorization

→ No new info (linked only)

CVSS 3.16.5 MEDIUM

VectorCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N

CISA KEV❌ No

Actively exploited✅ Yes

Patch available

2026.1

CWECWE-863

PublishedMay 29, 2026

Last enriched19d agov2

Trending Score6

Source articles2

Independent2

Info Completeness9/14

Missing: epss, kev, exploit, iocs, mitre_attack

Community Vote

0 upvotes0 downvotes

No votes yet

Related CVEs (5)

PRE-CVE

Security vulnerability in JetBrains GoLand prior to 2026.1.3

Trending: 20

HIGHCVE-2026-49373

CVE-2026-49373: In JetBrains TeamCity before 2026.1 remote code execution was possible via Perforce connection settings

Trending: 7

HIGHCVE-2026-49366

CVE-2026-49366: In JetBrains IntelliJ IDEA before 2026.1.1 command injection was possible via filename completion

Trending: 7

HIGHCVE-2026-49374

CVE-2026-49374: In JetBrains TeamCity before 2026.1 improper permission checks exposed build configuration parameters

Trending: 6

HIGHCVE-2026-49371

CVE-2026-49371: In JetBrains TeamCity before 2026.1.1 reflected XSS in the keyword filter was possible

Trending: 6

Pin to Dashboard

Verification

State: unverified

Confidence: 0%

Vulnerability Timeline

CVE Published

May 29, 2026

Discovered by ZDM

May 29, 2026

Updated: severity, affectedVersions, activelyExploited

May 29, 2026

Actively Exploited

May 29, 2026

Patch Available

May 29, 2026

Version History

Last enriched 19d ago

v2Tier C19d ago

Updated severity to CRITICAL, added affected version 2026.0, and marked the vulnerability as actively exploited.

severityaffectedVersionsactivelyExploited

via VulDB

v119d ago

Initial creation