Skip to main content

Octopus Server CVE-2026-4881

| EUVDEUVD-2026-34227 MEDIUM
Missing Authorization (CWE-862)
2026-06-04 Octopus GHSA-hw3f-962q-p4vj
6.0
CVSS 4.0 · Vendor: Octopus
Share

Severity by source

Vendor (Octopus) PRIMARY
6.0 MEDIUM
CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Primary rating from Vendor (Octopus) · only source for this CVE.

CVSS VectorVendor: Octopus

CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
X

Lifecycle Timeline

4
Analysis Generated
Jun 04, 2026 - 12:23 vuln.today
Patch available
Jun 04, 2026 - 11:16 EUVD
CVSS changed
Jun 04, 2026 - 10:22 NVD
6.0 (MEDIUM)
CVE Published
Jun 04, 2026 - 08:49 nvd
UNKNOWN (no severity yet)

DescriptionCVE.org

In affected versions of Octopus Server, permissions were not checked correctly resulting in any authenticated user being able to make server level changes using a certain API endpoint despite receiving an error.

AnalysisAI

Server-level configuration changes can be made by any authenticated low-privilege user in Octopus Server through a specific API endpoint that fails to enforce authorization correctly, despite returning an error response to the caller. The flaw affects multiple active release lines - 2026.1.x, 2025.4.x, and 2023.x - and carries a CVSS 4.0 score of 6.0 with high availability impact on the vulnerable system. No public exploit code has been identified at time of analysis, and the vulnerability is not listed in the CISA KEV catalog.

Technical ContextAI

Octopus Server is an enterprise deployment automation platform by Octopus Deploy, identified by CPE cpe:2.3:a:octopus_deploy:octopus_server:*:*:*:*:*:*:*:*. The root cause is an authorization enforcement failure at a server-level API endpoint, where the permission check either occurs after the action is executed or is silently bypassed despite the API returning an error response to the client. This is a classic Execution Before Authorization (or Confused Deputy) pattern: the caller sees a failure response but the server-side state change is committed. The CWE classification was not assigned in the source data. The CVSS 4.0 Attack Requirements value of AT:P indicates that some condition beyond the attacker's direct control must be present - likely that the specific endpoint is reachable and the server is in a state where the action can be applied - rather than this being exploitable in every default deployment. The CVSS impact profile shows VA:H (high availability impact on the vulnerable system) with no confidentiality or integrity impacts recorded, though the vendor tag 'Information Disclosure' creates a minor inconsistency with the CVSS impact vector that is not reconciled in available public documentation.

RemediationAI

Upgrade to a patched release per the vendor advisory at https://advisories.octopus.com/post/2026/sa2026-04: target version 2026.1.11313 or later for 2026.1.x deployments, 2025.4.10545 or later for 2025.4.x deployments, or 2025.4.10523 or later for installations on the 2023.x long-term support line. As a compensating control pending upgrade, restrict network-layer access to the Octopus Server API to trusted IP ranges or internal networks only, reducing exposure to users who can reach the API from untrusted segments; note this does not eliminate risk from authenticated internal users. Additionally, audit active Octopus Server user accounts and revoke or suspend accounts that do not require ongoing access, reducing the pool of principals who could exploit the low-privilege authentication requirement. No vendor-documented workaround to disable the specific affected endpoint has been identified in available sources.

CVE-2018-18850 HIGH POC
8.8 Oct 31

In Octopus Deploy 2018.8.0 through 2018.9.x before 2018.9.1, an authenticated user with permission to modify deployment

CVE-2019-11632 HIGH POC
8.1 May 01

In Octopus Deploy 2019.1.0 through 2019.3.1 and 2019.4.0 through 2019.4.5, an authenticated user with the VariableViewUn

CVE-2022-2572 CRITICAL
9.8 Nov 01

In affected versions of Octopus Server where access is managed by an external authentication provider, it was possible t

CVE-2022-2778 CRITICAL
9.8 Sep 30

In affected versions of Octopus Deploy it is possible to bypass rate limiting on login using null bytes. Rated critical

CVE-2018-11320 CRITICAL
9.8 May 21

In Octopus Deploy 2018.4.4 through 2018.5.1, Octopus variables that are sourced from the target do not have sensitive va

CVE-2026-0704 CRITICAL
9.1 Feb 25

Path traversal in Octopus Deploy allows removing files and file contents on the host through API manipulation. Enables d

CVE-2022-2782 CRITICAL
9.1 Oct 27

In affected versions of Octopus Server it is possible for a session token to be valid indefinitely due to improper valid

CVE-2024-9194 HIGH
8.7 Sep 30

Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Linux and Microsof

CVE-2022-2780 HIGH
8.1 Oct 14

In affected versions of Octopus Server it is possible to use the Git Connectivity test function on the VCS project to in

CVE-2021-26556 HIGH
7.8 Oct 07

When Octopus Server is installed using a custom folder location, folder ACLs are not set correctly and could lead to an

CVE-2024-2975 HIGH
7.5 Apr 09

A race condition was identified through which privilege escalation was possible in certain configurations. Rated high se

CVE-2023-1904 HIGH
7.5 Dec 14

In affected versions of Octopus Server it is possible for the OpenID client secret to be logged in clear text during the

Share

CVE-2026-4881 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy