CVE-2026-3237

In affected versions of Octopus Server it was possible for a low privileged user to manipulate an API request to change the signing key expiration and revocation time frames via an API endpoint that had incorrect permission validation. It was not possible to expose the signing keys using this vulnerability.

CVSS v3 4.3 MEDIUM

4.3^/10

CVSS v3 : MEDIUM

Vector :

Exploitability : 2.8 / Impact : 1.4

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required LOW

User Interaction NONE

Confidentiality Impact NONE

Integrity Impact LOW

Availability Impact NONE

Scope UNCHANGED

References

Link	Resource
https://advisories.octopus.com/post/2026/sa2026-03	Vendor Advisory

Configurations

Configuration 1 (hide)

OR	cpe:2.3:a:octopus:octopus_server::::::::
	cpe:2.3:a:octopus:octopus_server::::::::
	cpe:2.3:a:octopus:octopus_server::::::::

History

07 Apr 2026, 01:00

Type	Values Removed	Values Added
Summary		(es) En las versiones afectadas de Octopus Server era posible para un usuario con bajos privilegios manipular una solicitud de API para cambiar los plazos de caducidad y revocación de la clave de firma a través de un endpoint de API que tenía una validación de permisos incorrecta. No era posible exponer las claves de firma utilizando esta vulnerabilidad.
First Time		Octopus Octopus octopus Server
CVSS	v2 : ~~unknown~~ v3 : ~~unknown~~	v2 : unknown v3 : 4.3
References	~~() https://advisories.octopus.com/post/2026/sa2026-03 -~~	() https://advisories.octopus.com/post/2026/sa2026-03 - Vendor Advisory
CPE		cpe:2.3:a:octopus:octopus_server::::::::

17 Mar 2026, 14:20

Type	Values Removed	Values Added
CWE		CWE-285

17 Mar 2026, 07:16

Type	Values Removed	Values Added
New CVE

Information

Published : 2026-03-17 07:16

Updated : 2026-04-07 01:00

NVD link : CVE-2026-3237

Mitre link : CVE-2026-3237

CVE.ORG link : CVE-2026-3237

JSON object : View

Products Affected

octopus

octopus_server

CWE

CWE-285

Improper Authorization

{"id": "CVE-2026-3237", "cveTags": [], "metrics": {"cvssMetricV31": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 4.3, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N", "integrityImpact": "LOW", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "LOW", "confidentialityImpact": "NONE"}, "impactScore": 1.4, "exploitabilityScore": 2.8}], "cvssMetricV40": [{"type": "Secondary", "source": "security@octopus.com", "cvssData": {"Safety": "NOT_DEFINED", "version": "4.0", "Recovery": "NOT_DEFINED", "baseScore": 2.3, "Automatable": "NOT_DEFINED", "attackVector": "NETWORK", "baseSeverity": "LOW", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "exploitMaturity": "NOT_DEFINED", "providerUrgency": "NOT_DEFINED", "userInteraction": "NONE", "attackComplexity": "LOW", "attackRequirements": "PRESENT", "privilegesRequired": "LOW", "subIntegrityImpact": "NONE", "vulnIntegrityImpact": "LOW", "integrityRequirement": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "subAvailabilityImpact": "NONE", "vulnAvailabilityImpact": "NONE", "availabilityRequirement": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "subConfidentialityImpact": "NONE", "vulnConfidentialityImpact": "NONE", "confidentialityRequirement": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "vulnerabilityResponseEffort": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED"}}]}, "published": "2026-03-17T07:16:03.610", "references": [{"url": "https://advisories.octopus.com/post/2026/sa2026-03", "tags": ["Vendor Advisory"], "source": "security@octopus.com"}], "vulnStatus": "Analyzed", "weaknesses": [{"type": "Secondary", "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "description": [{"lang": "en", "value": "CWE-285"}]}], "descriptions": [{"lang": "en", "value": "In affected versions of Octopus Server it was possible for a low privileged user to manipulate an API request to change the signing key expiration and revocation time frames via an API endpoint that had incorrect permission validation. It was not possible to expose the signing keys using this vulnerability."}, {"lang": "es", "value": "En las versiones afectadas de Octopus Server era posible para un usuario con bajos privilegios manipular una solicitud de API para cambiar los plazos de caducidad y revocaci\u00f3n de la clave de firma a trav\u00e9s de un endpoint de API que ten\u00eda una validaci\u00f3n de permisos incorrecta. No era posible exponer las claves de firma utilizando esta vulnerabilidad."}], "lastModified": "2026-04-07T01:00:20.390", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:octopus:octopus_server:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "33159148-02D1-4BF7-9757-9BE7EDE5812F", "versionEndExcluding": "2025.3.14731"}, {"criteria": "cpe:2.3:a:octopus:octopus_server:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "DDD68927-7049-4FF9-A9B1-EDEA0DF967B5", "versionEndExcluding": "2025.4.10359", "versionStartIncluding": "2025.4.51"}, {"criteria": "cpe:2.3:a:octopus:octopus_server:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "B52D0F4C-0A73-4692-B1D7-3335509A2E93", "versionEndExcluding": "2026.1.5571", "versionStartIncluding": "2026.1.675"}], "operator": "OR"}]}], "sourceIdentifier": "security@octopus.com"}