CVE-2026-28196 is a vulnerability identified in JetBrains TeamCity, a widely used continuous integration and build management system. The flaw exists in versions prior to 2025.11.3 and is related to the handling of versioned settings. Specifically, when versioned settings are disabled, TeamCity fails to properly remove or secure a credentials configuration file left on the disk. This is categorized under CWE-459, which pertains to incomplete cleanup of sensitive data, leading to potential information disclosure. The credentials file may contain sensitive authentication data that, if accessed by unauthorized users with local system access, could be used to compromise the build environment or related systems. The vulnerability has a CVSS v3.1 base score of 2.3, reflecting low severity due to the requirement for local access with high privileges and no direct impact on integrity or availability. No known exploits have been reported in the wild, and no official patches have been linked at the time of publication. However, the presence of sensitive credentials on disk can increase the attack surface, especially in environments where multiple users have access or where attackers have already gained some level of system access. This vulnerability highlights the importance of secure credential management and proper cleanup of sensitive files in CI/CD pipelines.

The primary impact of CVE-2026-28196 is the potential disclosure of sensitive credentials stored in configuration files left on disk when versioned settings are disabled in TeamCity. Although the vulnerability requires local access with high privileges, the exposure of credentials could facilitate lateral movement or privilege escalation within an organization's infrastructure. This could lead to unauthorized access to build configurations, source code repositories, or deployment environments. The impact on confidentiality is limited but non-negligible, while integrity and availability remain unaffected. Organizations with shared build servers or insufficient access controls are at higher risk. Since TeamCity is widely used in software development environments globally, the vulnerability could affect many organizations, particularly those with complex CI/CD pipelines and multiple administrators. The lack of known exploits reduces immediate risk, but the vulnerability could be leveraged in targeted attacks or combined with other vulnerabilities to escalate privileges or exfiltrate sensitive data.

To mitigate CVE-2026-28196, organizations should upgrade JetBrains TeamCity to version 2025.11.3 or later, where this issue is addressed. Until an update is applied, administrators should audit their TeamCity configurations to ensure versioned settings are enabled or verify that credentials files are securely managed and removed when no longer needed. Restrict local access to build servers to trusted personnel only and enforce strict file system permissions to prevent unauthorized reading of configuration files. Implement monitoring to detect unusual access patterns to sensitive files. Additionally, consider encrypting credentials at rest and using secure vault solutions integrated with TeamCity to avoid storing plaintext credentials on disk. Regularly review and rotate credentials used within CI/CD pipelines to minimize the impact of potential exposure. Finally, maintain a robust incident response plan to quickly address any detected credential leaks or unauthorized access.