Octopus Server
Monthly
Stored Cross-Site Scripting in Octopus Server allows authenticated high-privilege users to embed malicious JavaScript payloads through the artifact upload mechanism, which execute in the browsers of other users who interact with the affected artifact. The CVSS 4.0 vector (PR:H, UI:A, VC:H) confirms exploitation requires elevated access and victim interaction, with the primary impact being confidentiality - likely session token or credential theft. No public exploit code exists and the vulnerability has not been added to the CISA KEV catalog at time of analysis.
Server-level configuration changes can be made by any authenticated low-privilege user in Octopus Server through a specific API endpoint that fails to enforce authorization correctly, despite returning an error response to the caller. The flaw affects multiple active release lines - 2026.1.x, 2025.4.x, and 2023.x - and carries a CVSS 4.0 score of 6.0 with high availability impact on the vulnerable system. No public exploit code has been identified at time of analysis, and the vulnerability is not listed in the CISA KEV catalog.
A security vulnerability in affected (CVSS 2.3). Remediation should follow standard vulnerability management procedures.
Octopus Server allows authenticated attackers to generate new API keys from existing access tokens with extended lifetimes that exceed the original token's validity period. This token lifetime extension vulnerability (CWE-863) could enable attackers with valid credentials to maintain persistent access beyond intended restrictions. The vulnerability affects Octopus Server with no patch currently available.
Path traversal in Octopus Deploy allows removing files and file contents on the host through API manipulation. Enables data destruction on the deployment server.
In affected Microsoft Windows versions of Octopus Deploy, the server can be coerced into sending server-side requests that contain authentication material allowing a suitably positioned attacker to. Rated medium severity (CVSS 5.9), this vulnerability is remotely exploitable. No vendor patch available.
In affected versions of Octopus Server it was possible for a user with sufficient access to set custom headers in all server responses. Rated medium severity (CVSS 5.9), this vulnerability is remotely exploitable. No vendor patch available.
In affected versions of Octopus Deploy it was possible to upload files to unexpected locations on the host using an API endpoint. Rated low severity (CVSS 2.3), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.
In affected versions of Octopus Server error messages were handled unsafely on the error page. Rated low severity (CVSS 1.8), this vulnerability is remotely exploitable. No vendor patch available.
In affected versions of Octopus Server the preview import feature could be leveraged to identify the existence of a target file. Rated low severity (CVSS 2.3), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.
In affected versions of Octopus Deploy where customers are using Active Directory for authentication it was possible for an unauthenticated user to make an API request against two endpoints which. Rated medium severity (CVSS 6.9), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Linux and Microsoft Windows Octopus Server on Windows, Linux allows SQL Injection.1.0 before. Rated high severity (CVSS 8.7), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.
Affected versions of Octopus Server had a weak content security policy. Rated low severity (CVSS 2.6), this vulnerability is remotely exploitable. No vendor patch available.
In affected versions of Octopus Server OIDC cookies were using the wrong expiration time which could result in them using the maximum lifespan. Rated low severity (CVSS 2.6), this vulnerability is remotely exploitable. No vendor patch available.
In affected versions of Octopus Server under certain circumstances it is possible for sensitive variables to be printed in the task log in clear-text. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.
In affected versions of Octopus Server under certain conditions, a user with specific role assignments can access restricted project artifacts. Rated low severity (CVSS 2.2), this vulnerability is remotely exploitable. No vendor patch available.
In affected versions of Octopus Server with certain access levels it was possible to embed a Cross-Site Scripting payload on the audit page. Rated medium severity (CVSS 5.4), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.
It was identified that in certain versions of Octopus Server, that a user created with no permissions could view all users, user roles and permissions. Rated low severity (CVSS 3.5), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.
A race condition was identified through which privilege escalation was possible in certain configurations. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable. No vendor patch available.
In affected versions of Octopus Server it is possible for the OpenID client secret to be logged in clear text during the configuration of Octopus Server. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.
In affected versions of Octopus Server it is possible for target discovery to print certain values marked as sensitive to log files in plaint-text in when verbose logging is enabled. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.
In affected versions of Octopus Server where access is managed by an external authentication provider, it was possible that the API key/keys of a disabled/deleted user were still valid after the. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.
In affected versions of Octopus Server it is possible for a session token to be valid indefinitely due to improper validation of the session token parameters. Rated critical severity (CVSS 9.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.
In affected versions of Octopus Server it is possible to reveal the existence of resources in a space that the user does not have access to due to verbose error messaging. Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.
In affected versions of Octopus Server it is possible to use the Git Connectivity test function on the VCS project to initiate an SMB request resulting in the potential for an NTLM relay attack. Rated high severity (CVSS 8.1), this vulnerability is remotely exploitable, no authentication required. No vendor patch available.
In affected versions of Octopus Server it is possible to reveal information about teams via the API due to an Insecure Direct Object Reference (IDOR) vulnerability. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.
In affected versions of Octopus Server it was identified that when a sensitive value is a substring of another value, sensitive value masking will only partially work. Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.
In affected versions of Octopus Server it was identified that a session cookie could be used as the CSRF token. Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.
In affected versions of Octopus Server it was identified that the same encryption process was used for both encrypting session cookies and variables. Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.
In affected versions of Octopus Deploy it is possible to bypass rate limiting on login using null bytes. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity.
In affected versions of Octopus Deploy it is possible to reveal the Space ID of spaces that the user does not have access to view in an error message when a resource is part of another Space. Rated medium severity (CVSS 4.3), this vulnerability is remotely exploitable, low attack complexity.
In affected versions of Octopus Deploy it is possible to upload a package to built-in feed with insufficient permissions after re-indexing packages. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.
In affected versions of Octopus Deploy it is possible to perform a Regex Denial of Service targeting the build information request validation. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity.
In affected versions of Octopus Deploy it is possible to perform a Regex Denial of Service using the Variable Project Template. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity.
In affected versions of Octopus Deploy it is possible to perform a Regex Denial of Service via the package upload function. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity.
In affected versions of Octopus Deploy it is possible to unmask sensitive variables by using variable preview. Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. This Improper Privilege Management vulnerability could allow attackers to escalate privileges to gain unauthorized elevated access.
In affected versions of Octopus Server the help sidebar can be customized to include a Cross-Site Scripting payload in the support link. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.
In affected versions of Octopus Server an Insecure Direct Object Reference vulnerability exists where it is possible for a user to download Project Exports from a Project they do not have permissions. Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.
When generating a user invitation code in Octopus Server, the validity of this code can be set for a specific number of users. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.
When Octopus Server is installed using a custom folder location, folder ACLs are not set correctly and could lead to an unprivileged user using DLL side-loading to gain privileged access. Rated high severity (CVSS 7.8), this vulnerability is no authentication required, low attack complexity. No vendor patch available.
In Octopus Server after version 2018.8.2 if the Octopus Server Web Request Proxy is configured with authentication, the password is shown in plaintext in the UI. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.
An issue was discovered in Octopus Deploy 3.4. Rated medium severity (CVSS 4.3), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.
In Octopus Deploy 2019.7.3 through 2019.7.9, in certain circumstances, an authenticated user with VariableView permissions could view sensitive values. Rated medium severity (CVSS 4.3), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.
In Octopus Deploy 2019.4.0 through 2019.6.x before 2019.6.6, and 2019.7.x before 2019.7.6, an authenticated system administrator is able to view sensitive values by visiting a server configuration. Rated medium severity (CVSS 4.9), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.
In Octopus Deploy 2019.1.0 through 2019.3.1 and 2019.4.0 through 2019.4.5, an authenticated user with the VariableViewUnscoped or VariableEditUnscoped permission scoped to a specific project could. Rated high severity (CVSS 8.1), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.
An Information Exposure issue in the Terraform deployment step in Octopus Deploy before 2019.1.8 (and before 2018.10.4 LTS) allows remote authenticated users to view sensitive Terraform output. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.
In Octopus Deploy 2018.8.0 through 2018.9.x before 2018.9.1, an authenticated user with permission to modify deployment processes could upload a maliciously crafted YAML configuration, potentially. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.
In Octopus Deploy version 2018.5.1 to 2018.5.7, a user with Task View is able to view a password for a Service Fabric Cluster, when the Service Fabric Cluster target is configured in Azure Active. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable. No vendor patch available.
In Octopus Deploy 2018.4.4 through 2018.5.1, Octopus variables that are sourced from the target do not have sensitive values obfuscated in the deployment logs. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.
In Octopus Deploy 3.x before 3.15.4, an authenticated user with PackagePush permission to upload packages could upload a maliciously crafted NuGet package, potentially overwriting other packages or. Rated medium severity (CVSS 5.7), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.
Stored Cross-Site Scripting in Octopus Server allows authenticated high-privilege users to embed malicious JavaScript payloads through the artifact upload mechanism, which execute in the browsers of other users who interact with the affected artifact. The CVSS 4.0 vector (PR:H, UI:A, VC:H) confirms exploitation requires elevated access and victim interaction, with the primary impact being confidentiality - likely session token or credential theft. No public exploit code exists and the vulnerability has not been added to the CISA KEV catalog at time of analysis.
Server-level configuration changes can be made by any authenticated low-privilege user in Octopus Server through a specific API endpoint that fails to enforce authorization correctly, despite returning an error response to the caller. The flaw affects multiple active release lines - 2026.1.x, 2025.4.x, and 2023.x - and carries a CVSS 4.0 score of 6.0 with high availability impact on the vulnerable system. No public exploit code has been identified at time of analysis, and the vulnerability is not listed in the CISA KEV catalog.
A security vulnerability in affected (CVSS 2.3). Remediation should follow standard vulnerability management procedures.
Octopus Server allows authenticated attackers to generate new API keys from existing access tokens with extended lifetimes that exceed the original token's validity period. This token lifetime extension vulnerability (CWE-863) could enable attackers with valid credentials to maintain persistent access beyond intended restrictions. The vulnerability affects Octopus Server with no patch currently available.
Path traversal in Octopus Deploy allows removing files and file contents on the host through API manipulation. Enables data destruction on the deployment server.
In affected Microsoft Windows versions of Octopus Deploy, the server can be coerced into sending server-side requests that contain authentication material allowing a suitably positioned attacker to. Rated medium severity (CVSS 5.9), this vulnerability is remotely exploitable. No vendor patch available.
In affected versions of Octopus Server it was possible for a user with sufficient access to set custom headers in all server responses. Rated medium severity (CVSS 5.9), this vulnerability is remotely exploitable. No vendor patch available.
In affected versions of Octopus Deploy it was possible to upload files to unexpected locations on the host using an API endpoint. Rated low severity (CVSS 2.3), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.
In affected versions of Octopus Server error messages were handled unsafely on the error page. Rated low severity (CVSS 1.8), this vulnerability is remotely exploitable. No vendor patch available.
In affected versions of Octopus Server the preview import feature could be leveraged to identify the existence of a target file. Rated low severity (CVSS 2.3), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.
In affected versions of Octopus Deploy where customers are using Active Directory for authentication it was possible for an unauthenticated user to make an API request against two endpoints which. Rated medium severity (CVSS 6.9), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Linux and Microsoft Windows Octopus Server on Windows, Linux allows SQL Injection.1.0 before. Rated high severity (CVSS 8.7), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.
Affected versions of Octopus Server had a weak content security policy. Rated low severity (CVSS 2.6), this vulnerability is remotely exploitable. No vendor patch available.
In affected versions of Octopus Server OIDC cookies were using the wrong expiration time which could result in them using the maximum lifespan. Rated low severity (CVSS 2.6), this vulnerability is remotely exploitable. No vendor patch available.
In affected versions of Octopus Server under certain circumstances it is possible for sensitive variables to be printed in the task log in clear-text. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.
In affected versions of Octopus Server under certain conditions, a user with specific role assignments can access restricted project artifacts. Rated low severity (CVSS 2.2), this vulnerability is remotely exploitable. No vendor patch available.
In affected versions of Octopus Server with certain access levels it was possible to embed a Cross-Site Scripting payload on the audit page. Rated medium severity (CVSS 5.4), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.
It was identified that in certain versions of Octopus Server, that a user created with no permissions could view all users, user roles and permissions. Rated low severity (CVSS 3.5), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.
A race condition was identified through which privilege escalation was possible in certain configurations. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable. No vendor patch available.
In affected versions of Octopus Server it is possible for the OpenID client secret to be logged in clear text during the configuration of Octopus Server. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.
In affected versions of Octopus Server it is possible for target discovery to print certain values marked as sensitive to log files in plaint-text in when verbose logging is enabled. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.
In affected versions of Octopus Server where access is managed by an external authentication provider, it was possible that the API key/keys of a disabled/deleted user were still valid after the. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.
In affected versions of Octopus Server it is possible for a session token to be valid indefinitely due to improper validation of the session token parameters. Rated critical severity (CVSS 9.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.
In affected versions of Octopus Server it is possible to reveal the existence of resources in a space that the user does not have access to due to verbose error messaging. Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.
In affected versions of Octopus Server it is possible to use the Git Connectivity test function on the VCS project to initiate an SMB request resulting in the potential for an NTLM relay attack. Rated high severity (CVSS 8.1), this vulnerability is remotely exploitable, no authentication required. No vendor patch available.
In affected versions of Octopus Server it is possible to reveal information about teams via the API due to an Insecure Direct Object Reference (IDOR) vulnerability. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.
In affected versions of Octopus Server it was identified that when a sensitive value is a substring of another value, sensitive value masking will only partially work. Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.
In affected versions of Octopus Server it was identified that a session cookie could be used as the CSRF token. Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.
In affected versions of Octopus Server it was identified that the same encryption process was used for both encrypting session cookies and variables. Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.
In affected versions of Octopus Deploy it is possible to bypass rate limiting on login using null bytes. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity.
In affected versions of Octopus Deploy it is possible to reveal the Space ID of spaces that the user does not have access to view in an error message when a resource is part of another Space. Rated medium severity (CVSS 4.3), this vulnerability is remotely exploitable, low attack complexity.
In affected versions of Octopus Deploy it is possible to upload a package to built-in feed with insufficient permissions after re-indexing packages. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.
In affected versions of Octopus Deploy it is possible to perform a Regex Denial of Service targeting the build information request validation. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity.
In affected versions of Octopus Deploy it is possible to perform a Regex Denial of Service using the Variable Project Template. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity.
In affected versions of Octopus Deploy it is possible to perform a Regex Denial of Service via the package upload function. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity.
In affected versions of Octopus Deploy it is possible to unmask sensitive variables by using variable preview. Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. This Improper Privilege Management vulnerability could allow attackers to escalate privileges to gain unauthorized elevated access.
In affected versions of Octopus Server the help sidebar can be customized to include a Cross-Site Scripting payload in the support link. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.
In affected versions of Octopus Server an Insecure Direct Object Reference vulnerability exists where it is possible for a user to download Project Exports from a Project they do not have permissions. Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.
When generating a user invitation code in Octopus Server, the validity of this code can be set for a specific number of users. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.
When Octopus Server is installed using a custom folder location, folder ACLs are not set correctly and could lead to an unprivileged user using DLL side-loading to gain privileged access. Rated high severity (CVSS 7.8), this vulnerability is no authentication required, low attack complexity. No vendor patch available.
In Octopus Server after version 2018.8.2 if the Octopus Server Web Request Proxy is configured with authentication, the password is shown in plaintext in the UI. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.
An issue was discovered in Octopus Deploy 3.4. Rated medium severity (CVSS 4.3), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.
In Octopus Deploy 2019.7.3 through 2019.7.9, in certain circumstances, an authenticated user with VariableView permissions could view sensitive values. Rated medium severity (CVSS 4.3), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.
In Octopus Deploy 2019.4.0 through 2019.6.x before 2019.6.6, and 2019.7.x before 2019.7.6, an authenticated system administrator is able to view sensitive values by visiting a server configuration. Rated medium severity (CVSS 4.9), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.
In Octopus Deploy 2019.1.0 through 2019.3.1 and 2019.4.0 through 2019.4.5, an authenticated user with the VariableViewUnscoped or VariableEditUnscoped permission scoped to a specific project could. Rated high severity (CVSS 8.1), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.
An Information Exposure issue in the Terraform deployment step in Octopus Deploy before 2019.1.8 (and before 2018.10.4 LTS) allows remote authenticated users to view sensitive Terraform output. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.
In Octopus Deploy 2018.8.0 through 2018.9.x before 2018.9.1, an authenticated user with permission to modify deployment processes could upload a maliciously crafted YAML configuration, potentially. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.
In Octopus Deploy version 2018.5.1 to 2018.5.7, a user with Task View is able to view a password for a Service Fabric Cluster, when the Service Fabric Cluster target is configured in Azure Active. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable. No vendor patch available.
In Octopus Deploy 2018.4.4 through 2018.5.1, Octopus variables that are sourced from the target do not have sensitive values obfuscated in the deployment logs. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.
In Octopus Deploy 3.x before 3.15.4, an authenticated user with PackagePush permission to upload packages could upload a maliciously crafted NuGet package, potentially overwriting other packages or. Rated medium severity (CVSS 5.7), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.