How to Protect Your TeamCity On-Premises Server from CVE-2026-44413

Introduction

If you run a self-hosted TeamCity server, there's a critical security flaw you need to address immediately. Tracked as CVE-2026-44413, this high-severity vulnerability affects all on-premises versions through 2025.11.4. It allows any authenticated user to expose parts of the TeamCity API to unauthorized individuals. The good news? JetBrains has released fixes—either by updating to version 2026.1 or installing a security patch plugin. TeamCity Cloud users are safe and don't need to do anything. This guide walks you through identifying the issue and applying the right mitigation for your setup.

What You Need

• Admin access to your TeamCity On-Premises server (either via the web UI or file system).
• Internet connectivity (for downloading updates or the patch plugin).
• Backup of your TeamCity data and configuration (recommended before any major change).
• TeamCity version identification – check your current version under Administration | Server Administration.
• If upgrading: enough disk space for the new installation.
• If using the patch plugin: a compatible TeamCity version (2017.1 or newer).

Step-by-Step Instructions

Step 1: Confirm Your Server Is Vulnerable

First, determine your TeamCity version. Log in as an administrator, go to Administration > Server Administration and look for the version number. If it's 2025.11.4 or older (but on-premises), you are impacted. If using TeamCity Cloud, no action is needed—your environment is already patched. Also, note that the vulnerability was privately reported on April 30, 2026 by Martin Orem, so treat this as a confirmed threat.

Step 2: Choose Your Mitigation Path

You have two main options to fix CVE-2026-44413:

• Upgrade to TeamCity 2026.1 (recommended) – includes the permanent fix and other improvements.
• Apply a security patch plugin – available for TeamCity 2017.1 and newer, if you cannot upgrade immediately.

If your server is publicly accessible on the internet and you cannot apply either fix right away, temporarily restrict external access (e.g., via firewall) until you can patch.

Step 3: Option A – Upgrade to TeamCity 2026.1

Upgrading is the most straightforward and complete fix.

1. Download the latest installer from the official JetBrains website (version 2026.1).
2. Back up your current TeamCity data directory (.BuildServer) and configuration. This is crucial in case you need to roll back.
3. Install the new version:
   • Windows: Run the installer and follow the prompts. It will typically preserve your existing data and settings.
   • Linux: Extract the archive and run bin/teamcity-server.sh start after stopping the old server.
   • Docker: Pull the new image (jetbrains/teamcity-server:2026.1) and recreate your container.
4. Use automatic update in TeamCity (if you have internet access): Go to Administration > Updates. If an update to 2026.1 is available, you'll see a prompt. Follow the on-screen instructions to upgrade.
5. Verify the update: After the server restarts, check the version again under Administration > Server Administration – it should now be 2026.1.
6. Test functionality: Ensure your builds, agents, and integrations are working as expected.

Step 4: Option B – Apply the Security Patch Plugin

If upgrading is not feasible (e.g., due to licensing, dependencies, or downtime constraints), use the dedicated security patch plugin that addresses only CVE-2026-44413.

Option B1 – Manual Installation (all versions 2017.1+)

1. Download the security patch plugin from the JetBrains security page (look for the plugin for CVE-2026-44413).
2. Copy the .zip file to your TeamCity server's .BuildServer/plugins directory. If the plugins folder doesn't exist, create it.
3. Restart the TeamCity server (for versions 2017.1 to 2018.1, a restart is required). For TeamCity 2018.2 and newer, you can enable the plugin without restarting – see next step.
4. If no restart is needed: Go to Administration > Plugins List. Find the security patch plugin and click Enable (or just confirm it's loaded).
5. Verify the patch is active: Check the plugin status – it should indicate that CVE-2026-44413 is patched.

Option B2 – Automatic Download (TeamCity 2024.03 and newer)

1. Ensure notifications are configured. In Administration > Updates, your server will automatically check for available security patches.
2. Go to Administration | Updates. Under “Available security updates”, you should see the patch for CVE-2026-44413.
3. Apply the patch by clicking the install button. No restart is needed for 2024.03+ – the plugin loads dynamically.
4. Confirm the patch is applied in the plugin list.

Important Caveat

The security patch plugin only fixes CVE-2026-44413. It does not include other improvements or security fixes present in version 2026.1. Therefore, plan to upgrade fully at your earliest convenience.

Step 5: Test and Monitor

After applying either mitigation:

• Run a few builds to ensure no breakage.
• Check that only authorized users can access the API. You can test by attempting to access API endpoints without proper credentials (they should be blocked).
• Monitor TeamCity logs for any unusual activity related to API access.

Tips for Success

• Always back up before any upgrade or plugin installation. Your .BuildServer directory contains critical data.
• Plan for downtime – even a quick upgrade or plugin restart will temporarily disrupt builds. Inform your team.
• If publicly exposed and you cannot patch immediately, consider a VPN or IP whitelist to restrict access.
• Automate future updates – enable automatic security patch notifications in TeamCity (Administration > Updates) so you catch urgent patches early.
• Review the official release notes for 2026.1 – they may contain additional security improvements or breaking changes.
• For older TeamCity versions (2017.1 to 2018.1) remember the required server restart after installing the plugin.
• Stay informed – monitor the JetBrains security advisory page for any follow-up patches or updates.