CVE-2026-59794 JetBrains TeamCity vulnerability
In JetBrains TeamCity before 2026.1.2 stored XSS on the cloud profile page was possible via agent-reported data
Quick answer
JetBrains TeamCity should be reviewed and updated if it matches the affected versions. The recommended fix is to apply the vendor-supported patched version or the mitigation steps below, then retest the public website with Fixnx.
Who is affected
Affected versions
- TeamCity before 2026.1.2
Fixed versions
- 2026.1.2
How to fix it
CVE-2026-59794 affects JetBrains TeamCity where stored XSS on the cloud profile page was possible through agent-reported data. Prioritize deployments or workstations that process untrusted project data, issue content, agents, VCS integrations, or email content depending on the product. Update to 2026.1.2 or a later vendor-supported patched build listed by JetBrains. Restrict agent registration and cloud profile administration until patched.
- Inventory all JetBrains TeamCity installations, including production servers, developer workstations, plugins, integrations, and hosted/on-prem environments as applicable.
- Identify versions below the JetBrains fixed build for CVE-2026-59794: 2026.1.2.
- Upgrade JetBrains TeamCity to 2026.1.2 or a later vendor-supported patched build through the normal JetBrains update channel.
- Restrict agent registration and cloud profile administration until patched.
- Review product roles, project permissions, agent trust, VCS integrations, uploaded content, and plugin configuration for unnecessary exposure.
- Review application, audit, email, agent, VCS, and endpoint logs for suspicious payloads or unexpected file/content access around the affected workflow.
- If exploitation is suspected, revoke sessions and tokens, rotate integration credentials, remove malicious content, and preserve evidence before cleanup.
Scan now. Google sign-in is only needed to unlock fix guidance.
Verify the fix
- Confirm JetBrains TeamCity reports 2026.1.2 or a later vendor-supported patched build.
- Confirm agent-reported cloud profile data renders as inert text.
- Confirm relevant permissions, integrations, agents, and content-rendering paths are limited to the intended trusted users or systems.
- Run focused regression tests for the affected workflow and verify malicious payloads render safely or are rejected.
- Document patched build numbers, integration checks, log review, and any credential rotation or content cleanup.
Related categories
Trusted references
FAQ
What is affected by CVE-2026-59794?
JetBrains TeamCity versions listed as affected should be reviewed: TeamCity before 2026.1.2.
What should I fix first?
Start with internet-facing sites, admin panels, login flows, plugins, themes, modules, packages, and systems that process user-controlled input or sensitive data.
How do I confirm the fix worked?
Apply the patched version or mitigation, clear caches where relevant, retest the affected workflow, and run a new Fixnx scan to verify public website exposure signals.
How are Fixnx security risk categories chosen?
Fixnx keeps one canonical risk page and assigns only broad, relevant categories such as ecosystem, technology area, or vulnerability class.
