CVE-2026-3237

MEDIUM

Octopus Server <2025.3.14731 - Privilege Escalation

Title source: llm

Description

In affected versions of Octopus Server it was possible for a low privileged user to manipulate an API request to change the signing key expiration and revocation time frames via an API endpoint that had incorrect permission validation. It was not possible to expose the signing keys using this vulnerability.

References (1)

https://advisories.octopus.com/post/2026/sa2026-03

Scores

CVSS v3 4.3

EPSS 0.0004

EPSS Percentile 10.7%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N

Details

CWE

CWE-285

Status published

Products (4)

octopus/octopus_server < 2025.3.14731

Octopus Deploy/Octopus Server 2023.0.0 - 2025.3.14731

Octopus Deploy/Octopus Server 2025.4.0 - 2025.4.10359

Octopus Deploy/Octopus Server 2026.1.0 - 2026.1.5571

Published Mar 17, 2026

Tracked Since Mar 17, 2026