Cross-Site Request Forgery in JetBrains TeamCity GraphQL Endpoint
CVE-2025-54536

5.4MEDIUM

Key Information:

Vendor: Jetbrains
Status: Teamcity
Vendor: CVE Published:; 28 July 2025

What is CVE-2025-54536?

A Cross-Site Request Forgery (CSRF) vulnerability has been identified in JetBrains TeamCity versions prior to 2025.07, specifically targeting the GraphQL endpoint. This flaw allows an attacker to exploit authenticated user sessions and potentially manipulate actions without the user's consent. Organizations utilizing TeamCity should urgently review their security posture and apply the necessary updates to protect against unauthorized requests that could compromise data integrity and system operations.

Affected Version(s)

TeamCity 0 < 2025.07

References

https://www.jetbrains.com/privacy-security/issues-fixed/

CVSS V3.1

Score:

5.4

Severity:

MEDIUM

Confidentiality:

Low

Integrity:

Low

Availability:

Low

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

Required

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Jul 28, 2025
Vulnerability Reserved
Jul 24, 2025

Jetbrains

What is CVE-2025-54536?

Affected Version(s)

References

CVSS V3.1

Timeline