Severity by source
CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Primary rating from Vendor (Octopus) · only source for this CVE.
CVSS VectorVendor: Octopus
CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
4DescriptionCVE.org
In affected versions of Octopus Server, permissions were not checked correctly resulting in any authenticated user being able to make server level changes using a certain API endpoint despite receiving an error.
AnalysisAI
Server-level configuration changes can be made by any authenticated low-privilege user in Octopus Server through a specific API endpoint that fails to enforce authorization correctly, despite returning an error response to the caller. The flaw affects multiple active release lines - 2026.1.x, 2025.4.x, and 2023.x - and carries a CVSS 4.0 score of 6.0 with high availability impact on the vulnerable system. No public exploit code has been identified at time of analysis, and the vulnerability is not listed in the CISA KEV catalog.
Technical ContextAI
Octopus Server is an enterprise deployment automation platform by Octopus Deploy, identified by CPE cpe:2.3:a:octopus_deploy:octopus_server:*:*:*:*:*:*:*:*. The root cause is an authorization enforcement failure at a server-level API endpoint, where the permission check either occurs after the action is executed or is silently bypassed despite the API returning an error response to the client. This is a classic Execution Before Authorization (or Confused Deputy) pattern: the caller sees a failure response but the server-side state change is committed. The CWE classification was not assigned in the source data. The CVSS 4.0 Attack Requirements value of AT:P indicates that some condition beyond the attacker's direct control must be present - likely that the specific endpoint is reachable and the server is in a state where the action can be applied - rather than this being exploitable in every default deployment. The CVSS impact profile shows VA:H (high availability impact on the vulnerable system) with no confidentiality or integrity impacts recorded, though the vendor tag 'Information Disclosure' creates a minor inconsistency with the CVSS impact vector that is not reconciled in available public documentation.
RemediationAI
Upgrade to a patched release per the vendor advisory at https://advisories.octopus.com/post/2026/sa2026-04: target version 2026.1.11313 or later for 2026.1.x deployments, 2025.4.10545 or later for 2025.4.x deployments, or 2025.4.10523 or later for installations on the 2023.x long-term support line. As a compensating control pending upgrade, restrict network-layer access to the Octopus Server API to trusted IP ranges or internal networks only, reducing exposure to users who can reach the API from untrusted segments; note this does not eliminate risk from authenticated internal users. Additionally, audit active Octopus Server user accounts and revoke or suspend accounts that do not require ongoing access, reducing the pool of principals who could exploit the low-privilege authentication requirement. No vendor-documented workaround to disable the specific affected endpoint has been identified in available sources.
More in Octopus Server
View allIn Octopus Deploy 2018.8.0 through 2018.9.x before 2018.9.1, an authenticated user with permission to modify deployment
In Octopus Deploy 2019.1.0 through 2019.3.1 and 2019.4.0 through 2019.4.5, an authenticated user with the VariableViewUn
In affected versions of Octopus Server where access is managed by an external authentication provider, it was possible t
In affected versions of Octopus Deploy it is possible to bypass rate limiting on login using null bytes. Rated critical
In Octopus Deploy 2018.4.4 through 2018.5.1, Octopus variables that are sourced from the target do not have sensitive va
Path traversal in Octopus Deploy allows removing files and file contents on the host through API manipulation. Enables d
In affected versions of Octopus Server it is possible for a session token to be valid indefinitely due to improper valid
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Linux and Microsof
In affected versions of Octopus Server it is possible to use the Git Connectivity test function on the VCS project to in
When Octopus Server is installed using a custom folder location, folder ACLs are not set correctly and could lead to an
A race condition was identified through which privilege escalation was possible in certain configurations. Rated high se
In affected versions of Octopus Server it is possible for the OpenID client secret to be logged in clear text during the
Same weakness CWE-862 – Missing Authorization
View allSame technique Authentication Bypass
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-34227
GHSA-hw3f-962q-p4vj