highCVE-2026-59796

CVE-2026-59796 teamcity vulnerability

In JetBrains TeamCity before 2026.1.2 pipeline modification was possible due to improper permission checks

Productteamcity
CVSS8.1
EPSS0.00248
UpdatedJuly 13, 2026

Quick answer

jetbrains teamcity should be reviewed and updated if it matches the affected versions. The recommended fix is to apply the vendor-supported patched version or the mitigation steps below, then retest the public website with Fixnx.

Who is affected

Affected versions

  • Review vendor advisory for affected versions.

Fixed versions

  • Apply the latest vendor-supported patched version.

How to fix it

CVE-2026-59796 affects JetBrains TeamCity: pipeline modification due to improper permission checks in versions before 2026.1.2. Update TeamCity to 2026.1.2 or a later JetBrains-supported patched build. Until the upgrade is complete, limit exposure of TeamCity, restrict agent registration and project administration, and review audit logs for unauthorized pipeline or agent-related changes.

  1. Inventory all TeamCity servers, including production, staging, build, and disaster-recovery instances.
  2. Identify installations running versions before 2026.1.2 and prioritize internet-facing or broadly accessible TeamCity servers.
  3. Upgrade JetBrains TeamCity to 2026.1.2 or a later vendor-supported patched build through the normal JetBrains update process.
  4. Restrict pipeline editing, project administration, build configuration changes, and token/service-account permissions until patched.
  5. Review project roles, group memberships, build configuration permissions, agent pools, cloud profiles, VCS roots, service accounts, and API tokens for unnecessary privilege.
  6. Review TeamCity audit, web, agent, VCS, and reverse-proxy logs for suspicious activity related to CVE-2026-59796.
  7. If exploitation is suspected, preserve evidence, revoke sessions and tokens, rotate integration credentials, remove malicious content or configuration changes, and rebuild affected agents from trusted images.

Scan now. Google sign-in is only needed to unlock fix guidance.

Verify the fix

  • Confirm TeamCity reports 2026.1.2 or a later vendor-supported patched build.
  • Confirm low-privileged users cannot modify pipelines, build configurations, or project settings outside their intended permissions.
  • Confirm agent registration, project administration, VCS integrations, and service account permissions are limited to intended trusted users or systems.
  • Run focused regression tests for the affected workflow and verify unauthorized changes or stored payloads are rejected or rendered safely.
  • Document patched build numbers, permission review, log review, evidence collection, and any credential rotation or cleanup.

Related categories

Trusted references

FAQ

What is affected by CVE-2026-59796?

jetbrains teamcity should be checked against the vendor advisory and trusted references linked on this page.

What should I fix first?

Start with internet-facing sites, admin panels, login flows, plugins, themes, modules, packages, and systems that process user-controlled input or sensitive data.

How do I confirm the fix worked?

Apply the patched version or mitigation, clear caches where relevant, retest the affected workflow, and run a new Fixnx scan to verify public website exposure signals.

How are Fixnx security risk categories chosen?

Fixnx keeps one canonical risk page and assigns only broad, relevant categories such as ecosystem, technology area, or vulnerability class.