ZeroPath at Black Hat USA 2026

JetBrains TeamCity CVE-2026-49373: Brief Summary of Argument Injection RCE via Perforce Connection Settings

A brief summary of CVE-2026-49373, a high severity argument injection vulnerability in JetBrains TeamCity that enables remote code execution through malicious Perforce VCS root connection settings.

CVE Analysis

7 min read

ZeroPath CVE Analysis
ZeroPath CVE Analysis

2026-05-29

JetBrains TeamCity CVE-2026-49373: Brief Summary of Argument Injection RCE via Perforce Connection Settings
Experimental AI-Generated Content

This CVE analysis is an experimental publication that is completely AI-generated. The content may contain errors or inaccuracies and is subject to change as more information becomes available. We are continuously refining our process.

If you have feedback, questions, or notice any errors, please reach out to us.

[email protected]

Introduction

An argument injection flaw in JetBrains TeamCity's Perforce VCS integration allows authenticated users to achieve remote code execution on the build server by crafting malicious connection settings. For organizations relying on TeamCity as the backbone of their CI/CD pipelines, this vulnerability (CVSS 7.1) opens a direct path from a compromised or malicious developer account to full control over build infrastructure, source code, and deployment credentials.

This vulnerability was disclosed on 2026-05-29 alongside at least 10 other TeamCity CVEs, several rated High severity, indicating a broad security audit of the platform. It also continues a pattern: a prior Perforce integration flaw (CVE-2025-68164) enabled port enumeration via the same connection test functionality, and this new CVE escalates the impact from information disclosure to full remote code execution.

Technical Information

Root Cause: CWE-88 Argument Injection

CVE-2026-49373 is classified under CWE-88: Improper Neutralization of Argument Delimiters in a Command. According to MITRE's definition, this weakness occurs when "the argument of a function that invokes a command processor" is not properly sanitized, enabling an attacker to "modify command line arguments" and potentially "execute arbitrary commands or read and modify data anywhere on the system." CWE-88 is a child of CWE-77 (Command Injection) and represents a specialized variant: rather than injecting entirely new commands, the attacker manipulates the arguments passed to an existing command invocation.

The Perforce Integration Attack Surface

TeamCity supports Perforce (Helix Core) as a VCS root type. When configuring a Perforce VCS root, TeamCity collects connection parameters including the Perforce server address (P4PORT), username, password, workspace (client) name, and other settings. These parameters are ultimately passed to the Perforce command line client (p4) when TeamCity performs source code checkout operations during builds.

The vulnerability exists because the Perforce connection settings fields were not properly sanitized for argument delimiter characters. Special delimiter characters (such as spaces, quotes, or shell metacharacters) within a connection parameter value are interpreted as separate arguments by the command processor rather than as part of a single parameter value. This allows an attacker to inject additional, attacker controlled arguments into the p4 command invocation.

Exploitation Flow

The likely exploitation path proceeds as follows:

  1. An authenticated user with permissions to create or modify VCS root configurations in TeamCity crafts a malicious Perforce connection setting value containing argument delimiters.
  2. When TeamCity executes a build that references this VCS root, the unsanitized value is passed as part of the p4 command line invocation.
  3. The injected arguments alter the behavior of the p4 command, enabling the attacker to execute arbitrary code on the TeamCity server with the privileges of the TeamCity server process.

The authentication requirement aligns with TeamCity's permission model for VCS root configuration. However, this does not substantially reduce risk in practice: compromised developer credentials, overly permissive role assignments, or insider threats can all provide the necessary access.

Escalation from CVE-2025-68164

A related vulnerability, CVE-2025-68164, disclosed earlier and resolved in TeamCity 2025.11, involved port enumeration via the Perforce connection test functionality. The progression from a Low severity information disclosure to a High severity RCE in the same subsystem underscores the importance of thorough security remediation of VCS connection modules.

AttributeCVE-2025-68164CVE-2026-49373
DescriptionPort enumeration via Perforce connection testRCE via Perforce connection settings
SeverityLowHigh (CVSS 7.1)
CWENot specifiedCWE-88
Fix Version2025.112026.1
Attack TypeInformation DisclosureRemote Code Execution

Supply Chain Implications

Because TeamCity orchestrates build and deployment pipelines, RCE on the server grants an attacker the ability to: inject malicious code into build artifacts destined for production, exfiltrate source code and secrets stored in build configurations, pivot laterally using deployment credentials managed by the CI/CD system, and tamper with build logs to conceal evidence of compromise.

Affected Systems and Versions

All versions of JetBrains TeamCity prior to 2026.1 that use Perforce VCS root configurations are affected. The fix is included in TeamCity 2026.1.

For organizations unable to upgrade immediately, JetBrains provides a security patch plugin compatible with TeamCity versions 2017.1 and later.

CVE-2026-49373 was disclosed alongside multiple other TeamCity vulnerabilities. The following table summarizes the coordinated disclosure:

CVE IDSeverityFix Version
CVE-2026-49373High (CVSS 7.1)2026.1
CVE-2026-44413High2026.1, 2025.11.5
CVE-2026-49372High2026.1, 2025.11.5
CVE-2026-49374High2026.1
CVE-2026-49371High2026.1.1
CVE-2026-49375Medium2026.1, 2025.11.5
CVE-2026-49376Medium2026.1
CVE-2026-49377Medium2025.11.2
CVE-2026-49378Medium2026.1
CVE-2026-49379Medium2026.1
CVE-2026-49380Low2026.1
CVE-2026-49381Low2026.1

Upgrading to TeamCity 2026.1 addresses all listed CVEs except CVE-2026-49371, which requires version 2026.1.1.

Vendor Security History

JetBrains has a documented track record of security findings in TeamCity. VCS integration modules, covering both Git and Perforce, have been recurring sources of vulnerabilities including path traversal, credential leakage, and now argument injection.

The company self reports vulnerabilities through [email protected], indicating a responsible disclosure posture. JetBrains also provides backward compatible security patch plugins for older versions, enabling customers who cannot immediately upgrade to still receive critical fixes. In March 2026, JetBrains published a detailed blog post on CI/CD plugin architecture security risks, demonstrating awareness of the broader threat landscape facing build infrastructure.

However, the volume of simultaneously disclosed High severity CVEs (at least five in this batch alone) suggests the platform's attack surface remains substantial and warrants continuous scrutiny from security teams.

References

Detect & fix
what others miss

Works with
  • GitHub
  • GitLab
  • Bitbucket
  • Azure DevOps Services
  • Jira
  • Linear
  • Slack
  • Security Compass
Security magnifying glass visualization