CVE-2026-0704
Received Received - Intake
Path Traversal in Octopus Deploy API Allows File Deletion

Publication date: 2026-02-25

Last updated on: 2026-02-27

Assigner: Octopus Deploy

Description
In affected version of Octopus Deploy it was possible to remove files and/or contents of files on the host using an API endpoint. The field lacked validation which could potentially result in ways to circumvent expected workflows.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Affected Vendors & Products
Vendor Product Version
octopus octopus_server From 2023.1.4189 (inc) to 2025.3.14715 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-22 The product uses external input to construct a pathname that is intended to identify a file or directory that is located underneath a restricted parent directory, but the product does not properly neutralize special elements within the pathname that can cause the pathname to resolve to a location that is outside of the restricted directory.
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?

CVE-2026-0704 is a medium severity path traversal vulnerability in Octopus Server affecting Windows and Linux operating systems.

The vulnerability arises because an API endpoint in affected versions lacks proper validation of input fields, allowing unauthorized users to remove or modify files on the host system.

This lack of validation enables attackers to bypass expected workflows and manipulate files, potentially causing unintended file deletions or modifications.


How can this vulnerability impact me? :

This vulnerability can allow an attacker with access to the vulnerable API endpoint to delete or modify files on the host system where Octopus Deploy is running.

Such unauthorized file manipulation could disrupt normal operations, cause data loss, or compromise the integrity of the system.

Because the vulnerability allows bypassing expected workflows, it may lead to unexpected behavior or system instability.


How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:

I don't know


How can this vulnerability be detected on my network or system? Can you suggest some commands?

There are no specific detection commands or network/system detection methods provided for this vulnerability in the available resources.


What immediate steps should I take to mitigate this vulnerability?

The primary mitigation step is to upgrade Octopus Deploy to a fixed version that addresses the vulnerability.

  • Upgrade to version 2025.4.10446 or higher, which is the latest recommended fixed version.
  • If unable to upgrade to the latest version, upgrade at least to 2025.3.14715 for 2023.x, 2024.x, 2025.1.x, 2025.2.x, and 2025.3.x branches.
  • For the 2025.4.x branch, upgrade at least to 2025.4.10359.

No other known mitigations exist aside from upgrading to a patched version.


Ask Our AI Assistant
Need more information? Ask your question to get an AI reply (Powered by our expertise)
0/70
EPSS Chart
Meta Information
CVE Publication Date:
2026-02-25
CVE Last Modified Date:
2026-02-27
Report Generation Date:
2026-04-01
AI Powered Q&A Generation:
2026-02-25
EPSS Last Evaluated Date:
2026-03-31
NVD Report Link:
EUVD Report Link: