CVE-2026-28194 is classified as a CWE-601 open redirect vulnerability found in JetBrains TeamCity versions before 2025.11.3. The vulnerability occurs in the React project creation flow, where the application improperly handles URL redirection parameters, allowing an attacker to manipulate the redirect destination. This flaw can be exploited by crafting malicious URLs that redirect users to external, potentially malicious websites after interacting with the TeamCity interface. The vulnerability does not require authentication but does require user interaction, such as clicking a link. The CVSS 3.1 base score is 4.3, reflecting a medium severity level due to its limited impact on confidentiality (partial information disclosure risk) and no impact on integrity or availability. The attack vector is network-based, with low attack complexity and no privileges required. While no known exploits have been reported in the wild, the vulnerability poses a risk of phishing and social engineering attacks leveraging trusted TeamCity URLs. The absence of a patch link suggests users should upgrade to version 2025.11.3 or later, where the issue is resolved. Proper input validation and URL sanitization are critical to prevent exploitation.

The primary impact of this vulnerability is the potential for phishing and social engineering attacks. Attackers can exploit the open redirect to lure users into visiting malicious websites under the guise of legitimate TeamCity URLs, potentially leading to credential theft, malware infection, or other secondary attacks. Although the vulnerability does not directly compromise system confidentiality, integrity, or availability, it undermines user trust and can facilitate broader attacks targeting development teams. Organizations relying on TeamCity for continuous integration and deployment may face increased risk of targeted phishing campaigns, especially if users are accustomed to interacting with TeamCity URLs. The medium severity rating reflects the limited direct technical impact but acknowledges the significant risk posed by social engineering vectors. No known active exploitation reduces immediate risk but does not eliminate the threat, especially in high-value environments.

To mitigate CVE-2026-28194, organizations should promptly upgrade JetBrains TeamCity to version 2025.11.3 or later, where the vulnerability is fixed. In addition, administrators should audit and restrict the use of redirect parameters within TeamCity workflows, ensuring that only validated and whitelisted URLs are allowed for redirection. Implement strict input validation and output encoding on all URL parameters involved in redirection to prevent manipulation. Security teams should educate users about the risks of clicking on unexpected or suspicious links, even if they appear to originate from trusted internal tools. Monitoring web traffic for unusual redirect patterns can help detect exploitation attempts. Employing web application firewalls (WAFs) with rules targeting open redirect patterns may provide additional protection. Finally, integrating security awareness training focused on phishing risks related to internal tools can reduce the likelihood of successful social engineering attacks.