This vulnerability in JetBrains TeamCity involves improper authorization controls leading to exposure of credential parameters via the parameter autocompletion feature. Specifically, in versions prior to 2026.1, users with some level of access could see sensitive credential data that should have been protected. The issue is tracked as CWE-862, indicating missing authorization checks. The CVSS 3.1 base score is 4.3, reflecting a network attack vector with low complexity and no user interaction required, resulting in limited confidentiality impact without affecting integrity or availability. No official patch or remediation guidance is currently documented by the vendor.

The vulnerability allows unauthorized disclosure of credential parameters through autocompletion, potentially exposing sensitive information to users who should not have access. This could lead to confidentiality breaches but does not affect system integrity or availability. No known active exploitation has been reported.

Patch status is not yet confirmed — check the vendor advisory for current remediation guidance. Until an official fix is released, restrict access to TeamCity instances to trusted users only and consider disabling or limiting parameter autocompletion features if possible to reduce exposure risk.