CVE-2026-0704

Summary

In affected version of Octopus Deploy it was possible to remove files and/or contents of files on the host using an API endpoint. The field lacked validation which could potentially result in ways to circumvent expected workflows.

Affected Software

VendorProductVersion RangeStatus
Octopus DeployOctopus Server2023.0.0 < 2025.3.14715affected
Octopus DeployOctopus Server2025.4.0 < 2025.4.10359affected

Weaknesses

  • File Modification/Deletion Path Traversal

ADP Enrichment

CISA ADP Vulnrichment

  • SSVC:
  • Exploitation: none
    • Automatable: no
    • Technical Impact: partial

References