CVE-2026-3237
Improper Permission Validation in Octopus Server API Allows Key Timing Manipulation
Publication date: 2026-03-17
Last updated on: 2026-04-07
Assigner: Octopus Deploy
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| octopus | octopus_server | to 2025.3.14731 (exc) |
| octopus | octopus_server | From 2025.4.51 (inc) to 2025.4.10359 (exc) |
| octopus | octopus_server | From 2026.1.675 (inc) to 2026.1.5571 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-285 | The product does not perform or incorrectly performs an authorization check when an actor attempts to access a resource or perform an action. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2026-3237 is a low-severity vulnerability in Octopus Server that allows a low-privilege user to manipulate an API request to change the signing key expiration and revocation time frames. This happens because an API endpoint has incorrect permission validation. However, the vulnerability does not allow the exposure of the signing keys themselves.
How can this vulnerability impact me? :
The vulnerability could allow a low-privilege user to alter the timing settings for signing key expiration and revocation, potentially affecting the security policies related to key management. While the signing keys cannot be exposed, manipulating these time frames might lead to keys being valid longer or revoked sooner than intended, which could impact system security and trust in signed data or communications.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
I don't know
How can this vulnerability be detected on my network or system? Can you suggest some commands?
There are no specific detection commands or methods provided to identify this vulnerability on your network or system.
The vulnerability involves manipulation of an API request to change signing key expiration and revocation time frames due to incorrect permission validation, but no public detection tools or commands are mentioned.
What immediate steps should I take to mitigate this vulnerability?
The primary and recommended mitigation step is to upgrade Octopus Server to the latest fixed version.
- Upgrade to Octopus Server version 2026.1.11242 or higher.
- If unable to upgrade to the latest version, upgrade to the fixed versions: 2025.3.14731, 2025.4.10359, or 2026.1.5571 depending on your current version.
No other mitigations besides upgrading are known.