CVE-2026-3237
Received Received - Intake
Improper Permission Validation in Octopus Server API Allows Key Timing Manipulation

Publication date: 2026-03-17

Last updated on: 2026-04-07

Assigner: Octopus Deploy

Description
In affected versions of Octopus Server it was possible for a low privileged user to manipulate an API request to change the signing key expiration and revocation time frames via an API endpoint that had incorrect permission validation. It was not possible to expose the signing keys using this vulnerability.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-03-17
Last Modified
2026-04-07
Generated
2026-06-16
AI Q&A
2026-03-17
EPSS Evaluated
2026-06-15
NVD
CVE-2026-3237
EUVD
EUVD-2026-12544
Affected Vendors & Products
Showing 3 associated CPEs
Vendor Product Version / Range
octopus octopus_server to 2025.3.14731 (exc)
octopus octopus_server From 2025.4.51 (inc) to 2025.4.10359 (exc)
octopus octopus_server From 2026.1.675 (inc) to 2026.1.5571 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-285 The product does not perform or incorrectly performs an authorization check when an actor attempts to access a resource or perform an action.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

CVE-2026-3237 is a low-severity vulnerability in Octopus Server that allows a low-privilege user to manipulate an API request to change the signing key expiration and revocation time frames. This happens because an API endpoint has incorrect permission validation. However, the vulnerability does not allow the exposure of the signing keys themselves.

Impact Analysis

The vulnerability could allow a low-privilege user to alter the timing settings for signing key expiration and revocation, potentially affecting the security policies related to key management. While the signing keys cannot be exposed, manipulating these time frames might lead to keys being valid longer or revoked sooner than intended, which could impact system security and trust in signed data or communications.

Compliance Impact

I don't know

Detection Guidance

There are no specific detection commands or methods provided to identify this vulnerability on your network or system.

The vulnerability involves manipulation of an API request to change signing key expiration and revocation time frames due to incorrect permission validation, but no public detection tools or commands are mentioned.

Mitigation Strategies

The primary and recommended mitigation step is to upgrade Octopus Server to the latest fixed version.

  • Upgrade to Octopus Server version 2026.1.11242 or higher.
  • If unable to upgrade to the latest version, upgrade to the fixed versions: 2025.3.14731, 2025.4.10359, or 2026.1.5571 depending on your current version.

No other mitigations besides upgrading are known.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-3237. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart