CVE-2026-3236

In affected versions of Octopus Server it was possible to create a new API key from an existing access token resulting in the new API key having a lifetime exceeding the original API key used to mint the access token.

CVSS v3 4.3 MEDIUM

4.3^/10

CVSS v3 : MEDIUM

Vector :

Exploitability : 2.8 / Impact : 1.4

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required LOW

User Interaction NONE

Confidentiality Impact NONE

Integrity Impact LOW

Availability Impact NONE

Scope UNCHANGED

References

Link	Resource
https://advisories.octopus.com/post/2026/sa2026-02	Vendor Advisory

Configurations

Configuration 1 (hide)

OR	cpe:2.3:a:octopus:octopus_server::::::::
	cpe:2.3:a:octopus:octopus_server::::::::

History

13 Mar 2026, 01:30

Type	Values Removed	Values Added
Summary		(es) En las versiones afectadas de Octopus Server era posible crear una nueva clave de API a partir de un token de acceso existente, lo que resultaba en que la nueva clave de API tuviera una vida útil que excedía la clave de API original utilizada para generar el token de acceso.
First Time		Octopus Octopus octopus Server
CVSS	v2 : ~~unknown~~ v3 : ~~unknown~~	v2 : unknown v3 : 4.3
References	~~() https://advisories.octopus.com/post/2026/sa2026-02 -~~	() https://advisories.octopus.com/post/2026/sa2026-02 - Vendor Advisory
CPE		cpe:2.3:a:octopus:octopus_server::::::::

05 Mar 2026, 11:15

Type	Values Removed	Values Added
New CVE

Information

Published : 2026-03-05 11:15

Updated : 2026-03-13 01:30

NVD link : CVE-2026-3236

Mitre link : CVE-2026-3236

CVE.ORG link : CVE-2026-3236

JSON object : View

Products Affected

octopus

octopus_server

CWE

CWE-863

Incorrect Authorization

{"id": "CVE-2026-3236", "cveTags": [], "metrics": {"cvssMetricV31": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 4.3, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N", "integrityImpact": "LOW", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "LOW", "confidentialityImpact": "NONE"}, "impactScore": 1.4, "exploitabilityScore": 2.8}], "cvssMetricV40": [{"type": "Secondary", "source": "security@octopus.com", "cvssData": {"Safety": "NOT_DEFINED", "version": "4.0", "Recovery": "NOT_DEFINED", "baseScore": 2.3, "Automatable": "NOT_DEFINED", "attackVector": "NETWORK", "baseSeverity": "LOW", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "exploitMaturity": "NOT_DEFINED", "providerUrgency": "NOT_DEFINED", "userInteraction": "NONE", "attackComplexity": "LOW", "attackRequirements": "PRESENT", "privilegesRequired": "LOW", "subIntegrityImpact": "NONE", "vulnIntegrityImpact": "LOW", "integrityRequirement": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "subAvailabilityImpact": "NONE", "vulnAvailabilityImpact": "LOW", "availabilityRequirement": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "subConfidentialityImpact": "NONE", "vulnConfidentialityImpact": "LOW", "confidentialityRequirement": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "vulnerabilityResponseEffort": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED"}}]}, "published": "2026-03-05T11:15:54.400", "references": [{"url": "https://advisories.octopus.com/post/2026/sa2026-02", "tags": ["Vendor Advisory"], "source": "security@octopus.com"}], "vulnStatus": "Analyzed", "weaknesses": [{"type": "Secondary", "source": "security@octopus.com", "description": [{"lang": "en", "value": "CWE-863"}]}], "descriptions": [{"lang": "en", "value": "In affected versions of Octopus Server it was possible to create a new API key from an existing access token resulting in the new API key having a lifetime exceeding the original API key used to mint the access token."}, {"lang": "es", "value": "En las versiones afectadas de Octopus Server era posible crear una nueva clave de API a partir de un token de acceso existente, lo que resultaba en que la nueva clave de API tuviera una vida \u00fatil que exced\u00eda la clave de API original utilizada para generar el token de acceso."}], "lastModified": "2026-03-13T01:30:06.483", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:octopus:octopus_server:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "8B609A0F-1C05-47BB-BA71-2A549AF037F8", "versionEndExcluding": "2025.3.14761", "versionStartIncluding": "2023.1.4189"}, {"criteria": "cpe:2.3:a:octopus:octopus_server:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "6C328575-4BD6-4E45-B5D8-FBC4BCDD7E66", "versionEndExcluding": "2025.4.10409", "versionStartIncluding": "2025.4.51"}], "operator": "OR"}]}], "sourceIdentifier": "security@octopus.com"}