CVE-2026-28195 is a vulnerability identified in JetBrains TeamCity, a popular continuous integration and build management system widely used in software development environments. The issue arises from missing authorization controls that allow users with the project developer role to add parameters to build configurations without proper permission checks. This vulnerability is categorized under CWE-862, which refers to missing authorization, indicating that the system fails to verify whether the user is authorized to perform a specific action. The affected versions include all TeamCity releases before 2025.11.3. The vulnerability can be exploited remotely over the network (AV:N) with low attack complexity (AC:L), requiring the attacker to have project developer privileges (PR:L) but no user interaction (UI:N). The scope is unchanged (S:U), and the impact affects only integrity (I:L), with no impact on confidentiality or availability. By adding unauthorized parameters to build configurations, an attacker could manipulate build processes, potentially injecting malicious build steps or altering build behavior, which could lead to compromised software artifacts or downstream security issues. Although no known exploits are currently reported in the wild, the presence of this vulnerability in a critical development tool poses a risk to software supply chain integrity. JetBrains has published the vulnerability with a CVSS v3.1 base score of 4.3 (medium severity) and recommends updating to version 2025.11.3 or later where the authorization checks have been properly implemented.

The primary impact of CVE-2026-28195 is on the integrity of build configurations within TeamCity environments. Unauthorized addition of build parameters by project developers can lead to manipulation of build processes, potentially introducing malicious code, altering build outputs, or bypassing security controls embedded in the build pipeline. This can compromise the software supply chain, affecting the trustworthiness of software artifacts produced. While confidentiality and availability are not directly impacted, the integrity breach can have cascading effects, including deployment of compromised software to production environments. Organizations relying heavily on TeamCity for continuous integration and deployment are at risk of compromised build integrity, which can lead to security incidents, regulatory compliance issues, and damage to reputation. The requirement for project developer privileges limits the attack surface to insiders or compromised accounts with elevated permissions, but given the critical nature of build systems, this remains a significant concern.

To mitigate CVE-2026-28195, organizations should immediately upgrade JetBrains TeamCity to version 2025.11.3 or later, where the missing authorization checks have been addressed. Additionally, organizations should enforce strict access controls and least privilege principles, ensuring that only trusted users have project developer roles. Implement multi-factor authentication (MFA) for all users with elevated privileges to reduce the risk of account compromise. Regularly audit build configurations and parameter changes to detect unauthorized modifications. Employ monitoring and alerting on build system activities to quickly identify suspicious behavior. Consider isolating build environments and using immutable infrastructure principles to limit the impact of any unauthorized changes. Finally, integrate security scanning and code signing in the build pipeline to detect and prevent the deployment of tampered artifacts.