Introduction
An argument injection flaw in JetBrains TeamCity's Perforce VCS integration allows authenticated users to achieve remote code execution on the build server by crafting malicious connection settings. For organizations relying on TeamCity as the backbone of their CI/CD pipelines, this vulnerability (CVSS 7.1) opens a direct path from a compromised or malicious developer account to full control over build infrastructure, source code, and deployment credentials.
This vulnerability was disclosed on 2026-05-29 alongside at least 10 other TeamCity CVEs, several rated High severity, indicating a broad security audit of the platform. It also continues a pattern: a prior Perforce integration flaw (CVE-2025-68164) enabled port enumeration via the same connection test functionality, and this new CVE escalates the impact from information disclosure to full remote code execution.
Technical Information
Root Cause: CWE-88 Argument Injection
CVE-2026-49373 is classified under CWE-88: Improper Neutralization of Argument Delimiters in a Command. According to MITRE's definition, this weakness occurs when "the argument of a function that invokes a command processor" is not properly sanitized, enabling an attacker to "modify command line arguments" and potentially "execute arbitrary commands or read and modify data anywhere on the system." CWE-88 is a child of CWE-77 (Command Injection) and represents a specialized variant: rather than injecting entirely new commands, the attacker manipulates the arguments passed to an existing command invocation.
The Perforce Integration Attack Surface
TeamCity supports Perforce (Helix Core) as a VCS root type. When configuring a Perforce VCS root, TeamCity collects connection parameters including the Perforce server address (P4PORT), username, password, workspace (client) name, and other settings. These parameters are ultimately passed to the Perforce command line client (p4) when TeamCity performs source code checkout operations during builds.
The vulnerability exists because the Perforce connection settings fields were not properly sanitized for argument delimiter characters. Special delimiter characters (such as spaces, quotes, or shell metacharacters) within a connection parameter value are interpreted as separate arguments by the command processor rather than as part of a single parameter value. This allows an attacker to inject additional, attacker controlled arguments into the p4 command invocation.
Exploitation Flow
The likely exploitation path proceeds as follows:
- An authenticated user with permissions to create or modify VCS root configurations in TeamCity crafts a malicious Perforce connection setting value containing argument delimiters.
- When TeamCity executes a build that references this VCS root, the unsanitized value is passed as part of the
p4command line invocation. - The injected arguments alter the behavior of the
p4command, enabling the attacker to execute arbitrary code on the TeamCity server with the privileges of the TeamCity server process.
The authentication requirement aligns with TeamCity's permission model for VCS root configuration. However, this does not substantially reduce risk in practice: compromised developer credentials, overly permissive role assignments, or insider threats can all provide the necessary access.
Escalation from CVE-2025-68164
A related vulnerability, CVE-2025-68164, disclosed earlier and resolved in TeamCity 2025.11, involved port enumeration via the Perforce connection test functionality. The progression from a Low severity information disclosure to a High severity RCE in the same subsystem underscores the importance of thorough security remediation of VCS connection modules.
| Attribute | CVE-2025-68164 | CVE-2026-49373 |
|---|---|---|
| Description | Port enumeration via Perforce connection test | RCE via Perforce connection settings |
| Severity | Low | High (CVSS 7.1) |
| CWE | Not specified | CWE-88 |
| Fix Version | 2025.11 | 2026.1 |
| Attack Type | Information Disclosure | Remote Code Execution |
Supply Chain Implications
Because TeamCity orchestrates build and deployment pipelines, RCE on the server grants an attacker the ability to: inject malicious code into build artifacts destined for production, exfiltrate source code and secrets stored in build configurations, pivot laterally using deployment credentials managed by the CI/CD system, and tamper with build logs to conceal evidence of compromise.
Affected Systems and Versions
All versions of JetBrains TeamCity prior to 2026.1 that use Perforce VCS root configurations are affected. The fix is included in TeamCity 2026.1.
For organizations unable to upgrade immediately, JetBrains provides a security patch plugin compatible with TeamCity versions 2017.1 and later.
CVE-2026-49373 was disclosed alongside multiple other TeamCity vulnerabilities. The following table summarizes the coordinated disclosure:
| CVE ID | Severity | Fix Version |
|---|---|---|
| CVE-2026-49373 | High (CVSS 7.1) | 2026.1 |
| CVE-2026-44413 | High | 2026.1, 2025.11.5 |
| CVE-2026-49372 | High | 2026.1, 2025.11.5 |
| CVE-2026-49374 | High | 2026.1 |
| CVE-2026-49371 | High | 2026.1.1 |
| CVE-2026-49375 | Medium | 2026.1, 2025.11.5 |
| CVE-2026-49376 | Medium | 2026.1 |
| CVE-2026-49377 | Medium | 2025.11.2 |
| CVE-2026-49378 | Medium | 2026.1 |
| CVE-2026-49379 | Medium | 2026.1 |
| CVE-2026-49380 | Low | 2026.1 |
| CVE-2026-49381 | Low | 2026.1 |
Upgrading to TeamCity 2026.1 addresses all listed CVEs except CVE-2026-49371, which requires version 2026.1.1.
Vendor Security History
JetBrains has a documented track record of security findings in TeamCity. VCS integration modules, covering both Git and Perforce, have been recurring sources of vulnerabilities including path traversal, credential leakage, and now argument injection.
The company self reports vulnerabilities through [email protected], indicating a responsible disclosure posture. JetBrains also provides backward compatible security patch plugins for older versions, enabling customers who cannot immediately upgrade to still receive critical fixes. In March 2026, JetBrains published a detailed blog post on CI/CD plugin architecture security risks, demonstrating awareness of the broader threat landscape facing build infrastructure.
However, the volume of simultaneously disclosed High severity CVEs (at least five in this batch alone) suggests the platform's attack surface remains substantial and warrants continuous scrutiny from security teams.
References
- NVD: CVE-2026-49373
- JetBrains Fixed Security Issues
- JetBrains TeamCity Fixed Security Issues (Product Filtered)
- CWE-88: Improper Neutralization of Argument Delimiters in a Command (MITRE)
- CWE-77: Improper Neutralization of Special Elements used in a Command (MITRE)
- High Severity Security Issue Affecting TeamCity On Premises (CVE-2026-44413)
- TeamCity 2026.1 Release Announcement
- What's New in TeamCity 2026.1
- What Are The Security Risks of CI/CD Plugin Architectures? (JetBrains Blog)
- TeamCity Vulnerability CVE-2026-44413 (Help Net Security)
- Stormshield: Multiple Vulnerabilities in TeamCity



