anonhaven
Ad

CVE-2025-0526

LOW CVSS 4.0: 2.3 EPSS 0.08%
Updated Jul 02, 2025
Octopus
Parameter Value
CVSS 2.3 (LOW)
Affected Versions 2022.4.791 — 2024.4.7091
Fixed In 2024.3.13097
Type CWE-862 (Missing Authorization)
Vendor Octopus
Public PoC No

In affected versions of Octopus Deploy it was possible to upload files to unexpected locations on the host using an API endpoint. The field lacked validation which could potentially result in ways to circumvent expected workflows.

Attack Parameters

Attack Vector
Network
Can be exploited remotely
Attack Complexity
Low
Easy to exploit
Attack Requirements
Present
Additional conditions required
Privileges Required
Low
Basic privileges needed
User Interaction
None
No user interaction needed

Impact Assessment

Confidentiality
None
No data leak
Integrity
Low
Partial data modification
Availability
Low
Partial disruption

CVSS Vector v4.0

Weakness Type (CWE)

CWE-862 Missing Authorization

Vulnerable Products 3

Configuration From (including) Up to (excluding)
Octopus Octopus_Server
cpe:2.3:a:octopus:octopus_server:*:*:*:*:*:*:*:*
 2022.4.791 2024.3.13097
Octopus Octopus_Server
cpe:2.3:a:octopus:octopus_server:*:*:*:*:*:*:*:*
 2024.4.401 2024.4.7091
Microsoft Windows
cpe:2.3:o:microsoft:windows:-:*:*:*:*:*:*:*

References 2

https://advisories.octopus.com/post/2024/sa2025-03/
security@octopus.com
https://advisories.octopus.com/post/2025/sa2025-03/
af854a3a-2127-422b-91ae-364da2661108
Share Post Share Share Share

Related Vulnerabilities

CVE-2026-3237

Octopus Deploy

2.3

CVE-2026-0704

Octopus

5.9

CVE-2025-0588

Linux

5.9

CVE-2025-0513

Linux

1.8

CVE-2025-0525

Linux

2.3