CVE-2026-3237 Octopus Deploy — Exploit & Vulnerability Details LOW

Parameter	Value
CVSS	2.3 (LOW)
Affected Versions	2025.4.51 — 2026.1.5571
Fixed In	2025.3.14731
Type	CWE-285 (Improper Authorization)
Vendor	Octopus Deploy
Public PoC	No

In affected versions of Octopus Server it was possible for a low privileged user to manipulate an API request to change the signing key expiration and revocation time frames via an API endpoint that had incorrect permission validation. It was not possible to expose the signing keys using this vulnerability.

Attack Parameters

Attack Vector

Network

Can be exploited remotely

Attack Complexity

Low

Easy to exploit

Attack Requirements

Present

Additional conditions required

Privileges Required

Low

Basic privileges needed

User Interaction

None

No user interaction needed

Impact Assessment

Confidentiality

None

No data leak

Integrity

Low

Partial data modification

Availability

None

No disruption

CVSS Vector v4.0

Weakness Type (CWE)

CWE-285 Improper Authorization

Vulnerable Products 3

Configuration	From (including)	Up to (excluding)
Octopus Octopus_Server cpe:2.3:a:octopus:octopus_server::::::::	—	`2025.3.14731`
Octopus Octopus_Server cpe:2.3:a:octopus:octopus_server::::::::	`2025.4.51`	`2025.4.10359`
Octopus Octopus_Server cpe:2.3:a:octopus:octopus_server::::::::	`2026.1.675`	`2026.1.5571`

References 1

https://advisories.octopus.com/post/2026/sa2026-03

security@octopus.com

Menu

CVE-2026-3237

Attack Parameters

Impact Assessment

CVSS Vector v4.0

Weakness Type (CWE)

Vulnerable Products 3

References 1

CVE Details

Editor's Choice

Menu

CVE-2026-3237

Attack Parameters

Impact Assessment

CVSS Vector v4.0

Weakness Type (CWE)

Vulnerable Products 3

References 1

CVE Details

Editor's Choice

Stay informed on cybersecurity