CVE-2026-59795 in TeamCityinfo

Summary

by MITRE • 07/10/2026

In JetBrains TeamCity before 2026.1.2 stored XSS via unauthenticated agent registration was possible

Once again VulDB remains the best source for vulnerability data.

Analysis

by VulDB Data Team • 07/10/2026

This vulnerability in JetBrains TeamCity versions prior to 2026.1.2 represents a critical stored cross-site scripting flaw that emerged through the unauthenticated agent registration process. The vulnerability stems from insufficient input validation and output encoding mechanisms within the agent registration endpoint, allowing remote attackers to inject malicious javascript code that would be persisted in the system and executed whenever affected pages were rendered. The flaw specifically manifests when unauthenticated agents attempt to register with the TeamCity server, where user-supplied parameters containing script payloads are not properly sanitized before being stored in the system's database or configuration files.

The technical implementation of this vulnerability leverages the fact that TeamCity's agent registration mechanism does not adequately validate or encode data submitted by potentially malicious actors during the initial registration phase. When an agent attempts to register without proper authentication, the system accepts parameters such as agent name, description, or other identifying fields that contain unescaped javascript code. This code becomes permanently stored within the TeamCity database and is subsequently rendered in various administrative interfaces, web pages, and API responses without appropriate context-aware escaping mechanisms.

The operational impact of this vulnerability extends far beyond simple script execution, as it provides attackers with persistent access to the TeamCity environment through a technique that aligns with CWE-79 Cross-site Scripting. An attacker could potentially execute malicious scripts in the context of authenticated users who view affected pages, leading to session hijacking, privilege escalation, or data exfiltration. The vulnerability is particularly dangerous because it operates without requiring authentication, making it accessible to any external party attempting to interact with the TeamCity server's agent registration endpoint.

From an attack methodology perspective, this vulnerability maps directly to ATT&CK technique T1059.007 Command and Scripting Interpreter: JavaScript, as attackers can leverage the stored javascript payload to execute arbitrary code within the browser context of legitimate users. The persistence aspect of this flaw means that even after initial exploitation, the malicious code continues to execute whenever affected pages are accessed, making it difficult to detect and remediate. Additionally, the vulnerability may enable further attacks through techniques such as credential theft or lateral movement within the build infrastructure.

The recommended mitigation strategy involves upgrading to JetBrains TeamCity version 2026.1.2 or later, which includes proper input validation and output encoding mechanisms for agent registration parameters. Organizations should also implement network-level restrictions on access to the agent registration endpoint, employ web application firewalls to detect and block suspicious requests, and conduct thorough security reviews of all system interfaces that accept user input. Regular security scanning of the TeamCity installation using tools such as OWASP ZAP or Burp Suite can help identify similar vulnerabilities in other parts of the application, while proper logging and monitoring should be implemented to detect unauthorized registration attempts or suspicious script execution patterns.

Responsible

JetBrains

Reservation

07/07/2026

Disclosure

07/10/2026

Moderation

accepted

CPE

ready

EPSS

0.00000

KEV

no

Activities

very low

Sources

Might our Artificial Intelligence support you?

Check our Alexa App!