CVE-2026-3237

Low CVSS: 2.3

In affected versions of Octopus Server it was possible for a low privileged user to manipulate an API request to change the signing key expiration and revocation time frames via an API endpoint that had incorrect permission validation. It was not possible to expose the signing keys using this vulnerability.

Vendor

Octopus

Product

Octopus Server

CWE

CWE-285

Yayın Tarihi

2026-03-17 07:16:03

Güncelleme

2026-04-07 01:00:20

Source Identifier

security@octopus.com

KEV Date Added

Kategoriler

CWE-285 Octopus Server LOW Octopus 2026

Referanslar

https://advisories.octopus.com/post/2026/sa2026-03

Benzer Kayıtlar

Low

CVE-2026-3236

In affected versions of Octopus Server it was possible to create a new API key from an existing access token resulting i…

Medium

CVE-2026-0704

In affected version of Octopus Deploy it was possible to remove files and/or contents of files on the host using an API…

Medium

CVE-2025-0539

In affected Microsoft Windows versions of Octopus Deploy, the server can be coerced into sending server-side requests th…

Medium

CVE-2025-0588

In affected versions of Octopus Server it was possible for a user with sufficient access to set custom headers in all se…

Low

CVE-2025-0513

In affected versions of Octopus Server error messages were handled unsafely on the error page. If an adversary could con…

Low

CVE-2025-0526

In affected versions of Octopus Deploy it was possible to upload files to unexpected locations on the host using an API…