High-Severity Security Issue Affecting TeamCity On-Premises (CVE-2026-44413) – Update to 2026.1 Now
TL;DR · AI 摘要
JetBrains 发布 TeamCity 安全更新,修复高危漏洞 CVE-2026-44413,建议用户立即升级到 2026.1 版本。
核心要点
- CVE-2026-44413 是一个高危漏洞,可能被远程利用
- TeamCity 2026.1 版本已修复该漏洞
- 建议所有 TeamCity On-Premises 用户尽快升级
结构提纲
按章节快速跳转。
思维导图
用一张图看清主题之间的关系。
查看大纲文本(无障碍 / 无 JS 友好)
- TeamCity 安全更新
- 漏洞信息
- CVE-2026-44413
- 高危漏洞
- 解决方案
- TeamCity 2026.1 版本
- 漏洞修复
- 建议措施
- 立即升级
- 所有 On-Premises 用户
金句 / Highlights
值得收藏与分享的关键句。
CVE-2026-44413 是一个高危漏洞,可能被远程利用以执行恶意代码。
JetBrains 已发布 TeamCity 2026.1 版本,修复了该漏洞。
所有使用 TeamCity On-Premises 的用户应尽快升级到 2026.1 版本。
High-Severity Security Issue Affecting TeamCity On-Premises (CVE-2026-44413) – Update to 2026.1 Now | The TeamCity Blog
[](https://blog.jetbrains.com/teamcity/2026/05/cve-2026-44413/#)
Cookie Settings
Our website uses some cookies and records your IP address for the purposes of accessibility, security, and managing your access to the telecommunication network. You can disable data collection and cookies by changing your browser settings, but it may affect how this website functions. Learn more
With your consent, JetBrains may also use cookies and your IP address to collect individual statistics and provide you with personalized offers and ads subject to the Privacy Notice and the Terms of Use. JetBrains may use third-party services for this purpose. You can adjust or withdraw your consent at any time by visiting the Opt-Out.
Accept All Manage Settings
[](https://blog.jetbrains.com/)Skip to content
- #### IDEs
- [CLion](https://blog.jetbrains.com/clion/ "CLion Blog")
- [DataGrip](https://blog.jetbrains.com/datagrip/ "DataGrip Blog")
- DataSpell
- [GoLand](https://blog.jetbrains.com/go/ "GoLand Blog")
- [IntelliJ IDEA](https://blog.jetbrains.com/idea/ "IntelliJ IDEA Blog")
- [PhpStorm](https://blog.jetbrains.com/phpstorm/ "PhpStorm Blog")
- [PyCharm](https://blog.jetbrains.com/pycharm/ "PyCharm Blog")
- RustRover
- [Rider](https://blog.jetbrains.com/dotnet/tag/rider/ "Rider Blog")
- [RubyMine](https://blog.jetbrains.com/ruby/ "RubyMine Blog")
- [WebStorm](https://blog.jetbrains.com/webstorm/ "WebStorm Blog")
- #### Plugins & Services
- Big Data Tools
- [JetBrains Platform](https://blog.jetbrains.com/platform/ "JetBrains Platform Blog")
- Scala
- [Toolbox App](https://blog.jetbrains.com/toolbox-app/ "Toolbox App Blog")
- JetBrains AI
- Grazie
- Junie
- JetBrains for Data
- Air
- #### Team Tools
- Datalore
- [TeamCity](https://blog.jetbrains.com/teamcity/ "TeamCity Blog")
- [YouTrack](https://blog.jetbrains.com/youtrack/ "YouTrack Blog")
- Qodana
- CodeCanvas
- Matter
- Databao
- #### .NET & Visual Studio
- [.NET Tools](https://blog.jetbrains.com/dotnet/ ".NET Tools")
- [ReSharper C++](https://blog.jetbrains.com/rscpp/ "ReSharper C++ Blog")
- #### Languages & Frameworks
- [Kotlin](https://blog.jetbrains.com/kotlin/ "Kotlin Blog")
- Ktor
- [MPS](https://blog.jetbrains.com/mps/ "MPS Blog")
- Amper
- #### Education & Research
- #### Company
- [Company Blog](https://blog.jetbrains.com/blog/ "JetBrains Company Blog")
- Security
- Community Programs
- Life at JetBrains
 Powerful CI/CD for DevOps-centric teams
High-Severity Security Issue Affecting TeamCity On-Premises (CVE-2026-44413) – Update to 2026.1 Now
May 11, 2026
Summary Copy heading link
- A high-severity post-authentication security vulnerability has been identified in TeamCity On-Premises and assigned the CVE identifier CVE-2026-44413.
- It may allow any authenticated user to expose some parts of the TeamCity server API to unauthorized users.
- It affects all TeamCity On-Premises versions through 2025.11.4.
- The issue has been fixed in version 2026.1.
- We encourage all users to update their servers to the latest version.
- For those who are unable to do so, we have released a security patch plugin.
- TeamCity Cloud is not affected and requires no action.
Details Copy heading link
A high-severity post-authentication security vulnerability has been identified in TeamCity On-Premises. If exploited, this flaw may allow any authenticated user to expose some parts of the TeamCity server API to unauthorized users.
All versions of TeamCity On-Premises are affected, while TeamCity Cloud is not affected and requires no action. We have verified that TeamCity Cloud environments were not impacted by this issue.
This post-authentication privilege escalation vulnerability was reported to us privately on April 30, 2026, by Martin Orem (binary.house) in accordance with our coordinated disclosure policy. It has been assigned the Common Vulnerabilities and Exposures (CVE) identifier CVE-2026-44413.
A fix for the issue has been introduced in version 2026.1. We have also released a security patch plugin for 2017.1+ so that customers who are unable to upgrade can still patch their environments.
If your TeamCity server is publicly accessible over the internet and you are unable to apply one of the mitigation options described below, we strongly recommend temporarily restricting external access until you have done so.
Mitigation option 1: Update your server to 2026.1 Copy heading link
To update your TeamCity server, download and install the latest version (2026.1) or use the automatic update option within TeamCity. This version includes a fix for the vulnerability described above.
Mitigation option 2: Apply the security patch plugin Copy heading link
If you are unable to update your server to version 2026.1, we have also released a security patch plugin that can be installed on TeamCity 2017.1+ and will patch the specific vulnerability described above.
You can acquire it in the following ways:
- Download and install it manually.
- For TeamCity 2024.03 and newer, TeamCity automatically downloads available security patch plugins and notifies administrators (if notifications are configured). You can review and apply pending security patches from _Administration_ | _Updates_, under _Available security updates_.
For TeamCity 2017.1 to 2018.1, a server restart is required after the plugin is installed. Starting from TeamCity 2018.2, you can enable it without restarting the TeamCity server.
See the TeamCity plugin installation instructions for more information.
Important: The security patch plugin will only address the vulnerability described above. We always recommend upgrading your server to the latest version to benefit from many other security updates.
Best practices Copy heading link
As a longer-term security best practice for internet-facing TeamCity servers (that is, servers accessible to external users who can reach the TeamCity login screen), consider requiring connections through a VPN or implementing an additional security layer to help prevent unauthorized access. Even exposing the TeamCity login screen or REST API can provide potential entry points for attackers to exploit newly disclosed vulnerabilities.
Technical details Copy heading link
This vulnerability affects all TeamCity installations where the firewall permits inbound connections on ports other than the standard HTTP/HTTPS one used by TeamCity, or where build agents are running on the same host as the TeamCity server.
Exploitation of this vulnerability requires access to a TeamCity account, including a standard user account or the guest user account (if guest access is enabled). If exploited, it could allow an authenticated user to expose some parts of the TeamCity server API to unauthorized access.
As a general best practice, we strongly recommend restricting inbound network access to only required ports.
TeamCity servers should also run on dedicated hosts separate from build agents, as described in our documentation.
Support Copy heading link
If you have any questions regarding this issue or encounter problems upgrading, please get in touch with the TeamCity Support team by submitting a ticket.
[_Prev post_ [Livestream] TeamCity 2026.1: AI, Pipelines, and Enterprise CI/CD Improvements](https://blog.jetbrains.com/teamcity/2026/04/livestream-teamcity-2026-1/)