CVE-2026-3237

MEDIUM

Octopus Server <2025.3.14731 - Privilege Escalation

Title source: llm

Description

In affected versions of Octopus Server it was possible for a low privileged user to manipulate an API request to change the signing key expiration and revocation time frames via an API endpoint that had incorrect permission validation. It was not possible to expose the signing keys using this vulnerability.

References (1)

Core 1

Core References

https://advisories.octopus.com/post/2026/sa2026-03

Scores

CVSS v3 4.3

EPSS 0.0015

EPSS Percentile 4.7%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N

CISA SSVC

Vulnrichment

Exploitation none

Automatable no

Technical Impact partial

Details

CWE

CWE-285

Status published

Products (4)

octopus/octopus_server < 2025.3.14731

Octopus Deploy/Octopus Server 2023.0.0 - 2025.3.14731

Octopus Deploy/Octopus Server 2025.4.0 - 2025.4.10359

Octopus Deploy/Octopus Server 2026.1.0 - 2026.1.5571

Published Mar 17, 2026

Tracked Since Mar 17, 2026