CVE-2026-3237
2.3
CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N
Summary
In affected versions of Octopus Server it was possible for a low privileged user to manipulate an API request to change the signing key expiration and revocation time frames via an API endpoint that had incorrect permission validation. It was not possible to expose the signing keys using this vulnerability.
Affected Software
| Vendor | Product | Version Range | Status |
|---|---|---|---|
| Octopus Deploy | Octopus Server | 2023.0.0 < 2025.3.14731 | affected |
| Octopus Deploy | Octopus Server | 2025.4.0 < 2025.4.10359 | affected |
| Octopus Deploy | Octopus Server | 2026.1.0 < 2026.1.5571 | affected |
Weaknesses
- Low-Privilege User Can Modify Global Signing Key Settings
ADP Enrichment
CISA ADP Vulnrichment
- SSVC:
- Exploitation: none
- Automatable: no
- Technical Impact: partial
References
Feedback
Was this page helpful?
Glad to hear it! Please tell us how we can improve.
Sorry to hear that. Please tell us how we can improve.