highCVE-2026-59795

CVE-2026-59795 teamcity vulnerability

In JetBrains TeamCity before 2026.1.2 stored XSS via unauthenticated agent registration was possible

Productteamcity
CVSS8.1
EPSS0.00268
UpdatedJuly 13, 2026

Quick answer

jetbrains teamcity should be reviewed and updated if it matches the affected versions. The recommended fix is to apply the vendor-supported patched version or the mitigation steps below, then retest the public website with Fixnx.

Who is affected

Affected versions

  • Review vendor advisory for affected versions.

Fixed versions

  • Apply the latest vendor-supported patched version.

How to fix it

CVE-2026-59795 affects JetBrains TeamCity: stored cross-site scripting through unauthenticated agent registration in versions before 2026.1.2. Update TeamCity to 2026.1.2 or a later JetBrains-supported patched build. Until the upgrade is complete, limit exposure of TeamCity, restrict agent registration and project administration, and review audit logs for unauthorized pipeline or agent-related changes.

  1. Inventory all TeamCity servers, including production, staging, build, and disaster-recovery instances.
  2. Identify installations running versions before 2026.1.2 and prioritize internet-facing or broadly accessible TeamCity servers.
  3. Upgrade JetBrains TeamCity to 2026.1.2 or a later vendor-supported patched build through the normal JetBrains update process.
  4. Disable or tightly control unauthenticated agent registration until patched, and inspect agent names, metadata, cloud profiles, and UI-rendered agent data for stored script payloads.
  5. Review project roles, group memberships, build configuration permissions, agent pools, cloud profiles, VCS roots, service accounts, and API tokens for unnecessary privilege.
  6. Review TeamCity audit, web, agent, VCS, and reverse-proxy logs for suspicious activity related to CVE-2026-59795.
  7. If exploitation is suspected, preserve evidence, revoke sessions and tokens, rotate integration credentials, remove malicious content or configuration changes, and rebuild affected agents from trusted images.

Scan now. Google sign-in is only needed to unlock fix guidance.

Verify the fix

  • Confirm TeamCity reports 2026.1.2 or a later vendor-supported patched build.
  • Confirm unauthenticated agent registration and agent-reported data cannot store script payloads that execute in TeamCity UI pages.
  • Confirm agent registration, project administration, VCS integrations, and service account permissions are limited to intended trusted users or systems.
  • Run focused regression tests for the affected workflow and verify unauthorized changes or stored payloads are rejected or rendered safely.
  • Document patched build numbers, permission review, log review, evidence collection, and any credential rotation or cleanup.

Related categories

Trusted references

FAQ

What is affected by CVE-2026-59795?

jetbrains teamcity should be checked against the vendor advisory and trusted references linked on this page.

What should I fix first?

Start with internet-facing sites, admin panels, login flows, plugins, themes, modules, packages, and systems that process user-controlled input or sensitive data.

How do I confirm the fix worked?

Apply the patched version or mitigation, clear caches where relevant, retest the affected workflow, and run a new Fixnx scan to verify public website exposure signals.

How are Fixnx security risk categories chosen?

Fixnx keeps one canonical risk page and assigns only broad, relevant categories such as ecosystem, technology area, or vulnerability class.