This vulnerability (CVE-2026-49372) affects JetBrains TeamCity prior to versions 2026.1 and 2025.11.5. It allows unauthenticated attackers to perform SSRF attacks through the build status functionality. SSRF (CWE-918) enables attackers to make the server send crafted requests to internal or external systems, potentially exposing sensitive information or enabling further attacks. The CVSS v3.1 base score is 7.5, reflecting high severity due to network attack vector, no required privileges or user interaction, and high confidentiality impact. Integrity and availability impacts are not affected. As of the published date, no official patch or remediation level has been disclosed by JetBrains, and no exploits are known in the wild.

An unauthenticated attacker can exploit this SSRF vulnerability to make the TeamCity server send arbitrary HTTP requests, potentially accessing internal resources or services that are otherwise inaccessible. The confidentiality of information may be compromised, but integrity and availability are not impacted according to the CVSS vector. This could lead to information disclosure or reconnaissance opportunities for attackers.

Patch status is not yet confirmed — check the JetBrains vendor advisory for current remediation guidance. Since no official fix or remediation level has been published, users should monitor JetBrains advisories closely. Until a patch is available, consider restricting network access to the TeamCity server and limiting its ability to make outbound HTTP requests as a temporary mitigation.