CVE-2025-68267 is a vulnerability identified in JetBrains TeamCity versions before 2025.11.1, classified under CWE-272, which concerns violations of the principle of least privilege. The issue arises because TeamCity stored GitHub personal access tokens (PATs) instead of the more restrictive GitHub installation tokens. PATs typically grant broader access rights, including repository and organizational permissions, whereas installation tokens are scoped more narrowly to specific GitHub App installations. By using PATs, TeamCity inadvertently granted excessive privileges to processes or users that accessed these tokens, increasing the risk of unauthorized actions within GitHub repositories integrated with TeamCity. The vulnerability has a CVSS 3.1 base score of 6.5, reflecting a network attack vector with no privileges or user interaction required, and impacts confidentiality and integrity to a limited extent but does not affect availability. Although no exploits have been reported in the wild, the vulnerability could be leveraged by attackers to escalate privileges within CI/CD pipelines, potentially leading to unauthorized code changes or data exposure. The flaw was publicly disclosed on December 16, 2025, and JetBrains has addressed it in version 2025.11.1 by switching to the use of GitHub installation tokens, which enforce stricter access controls. Organizations using affected versions should prioritize patching and audit their token usage to prevent misuse.

For European organizations, this vulnerability poses a risk primarily to the confidentiality and integrity of source code and related assets managed through TeamCity integrations with GitHub. Unauthorized access via excessive privileges could allow attackers to modify build configurations, inject malicious code, or exfiltrate sensitive information. This could disrupt software supply chains and damage organizational reputation. Given the widespread use of JetBrains TeamCity in software development environments across Europe, especially in countries with large tech sectors, the impact could be significant if exploited. However, the absence of known exploits and the medium severity rating suggest the threat is moderate but warrants timely remediation to avoid potential escalation. Organizations involved in critical infrastructure, finance, or government sectors may face higher risks due to the sensitivity of their codebases and regulatory requirements around data protection and software integrity.

The primary mitigation is to upgrade JetBrains TeamCity to version 2025.11.1 or later, where the vulnerability has been fixed by replacing GitHub personal access tokens with installation tokens. Organizations should also audit their current token usage in TeamCity integrations to identify any stored PATs and revoke or replace them with installation tokens where possible. Implement strict access controls and monitoring around CI/CD systems to detect unusual token usage or repository access patterns. Employ role-based access control (RBAC) to limit who can configure or access tokens within TeamCity. Additionally, enforce secure storage and rotation policies for all credentials used in CI/CD pipelines. Regularly review and update integration permissions to adhere to the principle of least privilege. Finally, maintain awareness of JetBrains security advisories and apply patches promptly.