CVE-2026-0704
Received Received - Intake
Path Traversal in Octopus Deploy API Allows File Deletion

Publication date: 2026-02-25

Last updated on: 2026-02-27

Assigner: Octopus Deploy

Description
In affected version of Octopus Deploy it was possible to remove files and/or contents of files on the host using an API endpoint. The field lacked validation which could potentially result in ways to circumvent expected workflows.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-02-25
Last Modified
2026-02-27
Generated
2026-06-16
AI Q&A
2026-02-25
EPSS Evaluated
2026-06-15
NVD
CVE-2026-0704
EUVD
EUVD-2026-8636
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
octopus octopus_server From 2023.1.4189 (inc) to 2025.3.14715 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-22 The product uses external input to construct a pathname that is intended to identify a file or directory that is located underneath a restricted parent directory, but the product does not properly neutralize special elements within the pathname that can cause the pathname to resolve to a location that is outside of the restricted directory.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

CVE-2026-0704 is a medium severity path traversal vulnerability in Octopus Server affecting Windows and Linux operating systems.

The vulnerability arises because an API endpoint in affected versions lacks proper validation of input fields, allowing unauthorized users to remove or modify files on the host system.

This lack of validation enables attackers to bypass expected workflows and manipulate files, potentially causing unintended file deletions or modifications.

Impact Analysis

This vulnerability can allow an attacker with access to the vulnerable API endpoint to delete or modify files on the host system where Octopus Deploy is running.

Such unauthorized file manipulation could disrupt normal operations, cause data loss, or compromise the integrity of the system.

Because the vulnerability allows bypassing expected workflows, it may lead to unexpected behavior or system instability.

Compliance Impact

I don't know

Detection Guidance

There are no specific detection commands or network/system detection methods provided for this vulnerability in the available resources.

Mitigation Strategies

The primary mitigation step is to upgrade Octopus Deploy to a fixed version that addresses the vulnerability.

  • Upgrade to version 2025.4.10446 or higher, which is the latest recommended fixed version.
  • If unable to upgrade to the latest version, upgrade at least to 2025.3.14715 for 2023.x, 2024.x, 2025.1.x, 2025.2.x, and 2025.3.x branches.
  • For the 2025.4.x branch, upgrade at least to 2025.4.10359.

No other known mitigations exist aside from upgrading to a patched version.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-0704. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart