CVE-2026-4881

Summary

In affected versions of Octopus Server, permissions were not checked correctly resulting in any authenticated user being able to make server level changes using a certain API endpoint despite receiving an error.

Affected Software

VendorProductVersion RangeStatus
Octopus DeployOctopus Server2023.0.0 < 2025.4.10523affected
Octopus DeployOctopus Server2025.4.0 < 2025.4.10545affected
Octopus DeployOctopus Server2026.1.0 < 2026.1.11313affected

Weaknesses

  • Insufficient permission checks on an API endpoint

ADP Enrichment

CISA ADP Vulnrichment

  • SSVC:
  • Exploitation: none
    • Automatable: no
    • Technical Impact: partial

References