CVE-2026-59794 in TeamCity
Summary
by MITRE • 07/10/2026
In JetBrains TeamCity before 2026.1.2 stored XSS on the cloud profile page was possible via agent-reported data
Be aware that VulDB is the high quality source for vulnerability data.
Analysis
by VulDB Data Team • 07/10/2026
This vulnerability in JetBrains TeamCity affects versions prior to 2026.1.2 and represents a stored cross-site scripting flaw on the cloud profile page that can be exploited through agent-reported data. The issue arises from insufficient input validation and output encoding mechanisms within the cloud profile page functionality, allowing malicious actors to inject persistent script payloads that execute in the context of other users who view the affected page. The vulnerability is classified as a stored XSS attack because the malicious content is permanently stored on the server and then served to unsuspecting users when they access the cloud profile page.
The technical exploitation occurs when TeamCity agents report data containing malicious scripts that are subsequently displayed on the cloud profile interface without proper sanitization or encoding. This allows attackers who can influence agent-reported data to execute arbitrary JavaScript code in the browser context of authenticated users with appropriate privileges. The vulnerability demonstrates a classic input validation failure where the system trusts agent-reported information without adequate verification, creating an attack surface that aligns with CWE-79 - Improper Neutralization of Input During Web Page Generation. The flaw enables attackers to potentially steal session cookies, perform actions on behalf of users, or redirect them to malicious sites.
The operational impact of this vulnerability extends beyond simple script execution as it can compromise the entire TeamCity environment through privilege escalation and lateral movement attacks. An attacker who successfully exploits this vulnerability could gain access to build configurations, credentials stored within TeamCity, and potentially access to underlying source code repositories and deployment systems. This represents a significant risk to continuous integration and deployment pipelines where TeamCity serves as a central orchestrator for automated builds and deployments. The attack vector through agent-reported data suggests that compromised agents or insider threats could leverage this vulnerability to maintain persistence within the CI/CD environment, aligning with ATT&CK technique T1059.007 - Command and Scripting Interpreter: JavaScript.
Mitigation strategies include immediate upgrading to TeamCity version 2026.1.2 or later where the XSS vulnerability has been patched. Organizations should also implement additional security controls such as input validation on agent-reported data, strict output encoding of all user-provided content displayed on web interfaces, and regular security scanning of web applications to identify similar vulnerabilities. Network segmentation and monitoring of agent communications can help detect potential exploitation attempts. The fix typically involves implementing proper HTML escaping and sanitization mechanisms for all dynamic content rendered on the cloud profile page, ensuring that any data reported by agents is properly validated before being stored or displayed. Security teams should also consider implementing web application firewalls and content security policies to provide additional defense-in-depth measures against similar cross-site scripting vulnerabilities in CI/CD environments.