CVE-2026-3237

Summary

In affected versions of Octopus Server it was possible for a low privileged user to manipulate an API request to change the signing key expiration and revocation time frames via an API endpoint that had incorrect permission validation. It was not possible to expose the signing keys using this vulnerability.

Affected Software

VendorProductVersion RangeStatus
Octopus DeployOctopus Server2023.0.0 < 2025.3.14731affected
Octopus DeployOctopus Server2025.4.0 < 2025.4.10359affected
Octopus DeployOctopus Server2026.1.0 < 2026.1.5571affected

Weaknesses

  • Low-Privilege User Can Modify Global Signing Key Settings

ADP Enrichment

CISA ADP Vulnrichment

  • SSVC:
  • Exploitation: none
    • Automatable: no
    • Technical Impact: partial

References