CVE-2026-0704

In affected version of Octopus Deploy it was possible to remove files and/or contents of files on the host using an API endpoint. The field lacked validation which could potentially result in ways to circumvent expected workflows.

CVSS v3 9.1 CRITICAL

9.1^/10

CVSS v3 : CRITICAL

Vector :

Exploitability : 3.9 / Impact : 5.2

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required NONE

User Interaction NONE

Confidentiality Impact NONE

Integrity Impact HIGH

Availability Impact HIGH

Scope UNCHANGED

References

Link	Resource
https://advisories.octopus.com/post/2026/sa2026-01	Vendor Advisory

Configurations

Configuration 1 (hide)

AND

cpe:2.3:a:octopus:octopus_server:*:*:*:*:*:*:*:*

OR	cpe:2.3:o:linux:linux_kernel:-:::::::*
	cpe:2.3:o:microsoft:windows:-:::::::*

History

17 Jun 2026, 10:11

Type	Values Removed	Values Added
Summary		(es) En la versión afectada de Octopus Deploy era posible eliminar archivos y/o contenidos de archivos en el host utilizando un endpoint de la API. El campo carecía de validación, lo que podría resultar potencialmente en formas de eludir los flujos de trabajo esperados.

27 Feb 2026, 15:16

Type	Values Removed	Values Added
CWE		CWE-22

27 Feb 2026, 03:29

Type	Values Removed	Values Added
CVSS	v2 : ~~unknown~~ v3 : ~~unknown~~	v2 : unknown v3 : 9.1
References	~~() https://advisories.octopus.com/post/2026/sa2026-01 -~~	() https://advisories.octopus.com/post/2026/sa2026-01 - Vendor Advisory
CWE		NVD-CWE-noinfo
First Time		Linux Octopus octopus Server Microsoft Microsoft windows Octopus Linux linux Kernel
CPE		cpe:2.3:a:octopus:octopus_server:::::::: cpe:2.3:o:microsoft:windows:-:::::::* cpe:2.3:o:linux:linux_kernel:-:::::::*

25 Feb 2026, 13:16

Type	Values Removed	Values Added
New CVE

Information

Published : 2026-02-25 13:16

Updated : 2026-06-17 10:11

NVD link : CVE-2026-0704

Mitre link : CVE-2026-0704

CVE.ORG link : CVE-2026-0704

JSON object : View

Products Affected

octopus

octopus_server

microsoft

windows

linux

linux_kernel

CWE

NVD-CWE-noinfo CWE-22

Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')

{"id": "CVE-2026-0704", "cveTags": [], "metrics": {"ssvcV203": [{"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "ssvcData": {"id": "CVE-2026-0704", "role": "CISA Coordinator", "options": [{"exploitation": "none"}, {"automatable": "no"}, {"technicalImpact": "partial"}], "version": "2.0.3", "timestamp": "2026-02-25T15:40:09.659181Z"}}], "cvssMetricV31": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 9.1, "attackVector": "NETWORK", "baseSeverity": "CRITICAL", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "NONE", "confidentialityImpact": "NONE"}, "impactScore": 5.2, "exploitabilityScore": 3.9}], "cvssMetricV40": [{"type": "Secondary", "source": "security@octopus.com", "cvssData": {"Safety": "NOT_DEFINED", "version": "4.0", "Recovery": "NOT_DEFINED", "baseScore": 5.9, "Automatable": "NOT_DEFINED", "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:N/AC:H/AT:P/PR:H/UI:N/VC:N/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "exploitMaturity": "NOT_DEFINED", "providerUrgency": "NOT_DEFINED", "userInteraction": "NONE", "attackComplexity": "HIGH", "attackRequirements": "PRESENT", "privilegesRequired": "HIGH", "subIntegrityImpact": "NONE", "vulnIntegrityImpact": "HIGH", "integrityRequirement": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "subAvailabilityImpact": "NONE", "vulnAvailabilityImpact": "HIGH", "availabilityRequirement": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "subConfidentialityImpact": "NONE", "vulnConfidentialityImpact": "NONE", "confidentialityRequirement": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "vulnerabilityResponseEffort": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED"}}]}, "affected": [{"source": "security@octopus.com", "affectedData": [{"vendor": "Octopus Deploy", "product": "Octopus Server", "versions": [{"status": "affected", "version": "2023.0.0", "lessThan": "2025.3.14715", "versionType": "custom"}, {"status": "affected", "version": "2025.4.0", "lessThan": "2025.4.10359", "versionType": "custom"}], "platforms": ["Windows", "Linux"], "defaultStatus": "unaffected"}]}], "published": "2026-02-25T13:16:04.337", "references": [{"url": "https://advisories.octopus.com/post/2026/sa2026-01", "tags": ["Vendor Advisory"], "source": "security@octopus.com"}], "vulnStatus": "Modified", "weaknesses": [{"type": "Primary", "source": "nvd@nist.gov", "description": [{"lang": "en", "value": "NVD-CWE-noinfo"}]}, {"type": "Secondary", "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "description": [{"lang": "en", "value": "CWE-22"}]}], "descriptions": [{"lang": "en", "value": "In affected version of Octopus Deploy it was possible to remove files and/or contents of files on the host using an API endpoint. The field lacked validation which could potentially result in ways to circumvent expected workflows."}, {"lang": "es", "value": "En la versi\u00f3n afectada de Octopus Deploy era posible eliminar archivos y/o contenidos de archivos en el host utilizando un endpoint de la API. El campo carec\u00eda de validaci\u00f3n, lo que podr\u00eda resultar potencialmente en formas de eludir los flujos de trabajo esperados."}], "lastModified": "2026-06-17T10:11:14.340", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:octopus:octopus_server:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "675ECB88-6C10-40FF-AB96-C2A5C952D07E", "versionEndExcluding": "2025.3.14715", "versionStartIncluding": "2023.1.4189"}], "operator": "OR"}, {"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:o:linux:linux_kernel:-:*:*:*:*:*:*:*", "vulnerable": false, "matchCriteriaId": "703AF700-7A70-47E2-BC3A-7FD03B3CA9C1"}, {"criteria": "cpe:2.3:o:microsoft:windows:-:*:*:*:*:*:*:*", "vulnerable": false, "matchCriteriaId": "A2572D17-1DE6-457B-99CC-64AFD54487EA"}], "operator": "OR"}], "operator": "AND"}], "sourceIdentifier": "security@octopus.com"}