CVE-2026-4881
Received Received - Intake
Authenticated API Access Bypass in Octopus Server

Publication date: 2026-06-04

Last updated on: 2026-06-04

Assigner: Octopus Deploy

Description
In affected versions of Octopus Server, permissions were not checked correctly resulting in any authenticated user being able to make server level changes using a certain API endpoint despite receiving an error.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-06-04
Last Modified
2026-06-04
Generated
2026-06-04
AI Q&A
2026-06-04
EPSS Evaluated
N/A
NVD
CVE-2026-4881
EUVD
EUVD-2026-34227
Affected Vendors & Products
Showing 10 associated CPEs
Vendor Product Version / Range
octopus server to 2025.4.10545 (exc)
octopus server to 2026.1.11313 (exc)
octopus server 2026.1.11481
octopus server From 2023.0.0 (inc) to 2025.1.0 (exc)
octopus server From 2024.0.0 (inc) to 2025.1.0 (exc)
octopus server From 2025.1.0 (inc) to 2025.4.0 (exc)
octopus server From 2025.2.0 (inc) to 2025.4.0 (exc)
octopus server From 2025.3.0 (inc) to 2025.4.0 (exc)
octopus server From 2025.4.0 (inc) to 2025.4.10545 (exc)
octopus server From 2026.1.0 (inc) to 2026.1.11313 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-UNKNOWN
Attack-Flow Graph
AI Powered Q&A
How can this vulnerability impact me? :

This vulnerability allows any authenticated user to perform server-level changes without proper authorization. This could lead to unauthorized modifications of server configurations or operations, potentially compromising the integrity and security of the affected Octopus Server environment.


What immediate steps should I take to mitigate this vulnerability?

To mitigate CVE-2026-4881, it is recommended to upgrade Octopus Server to version 2026.1.11481 or later.

For users on older versions, applying the specific patches provided by Octopus Deploy is advised.

There are no known alternative mitigations, so immediate upgrade or patching is necessary to prevent potential exploitation.


Can you explain this vulnerability to me?

CVE-2026-4881 is a medium-severity vulnerability in Octopus Server versions prior to 2025.4.10545 and 2026.1.11313. It occurs because permissions were not checked correctly on a certain API endpoint, allowing any authenticated user to make unauthorized server-level changes despite receiving an error.


Ask Our AI Assistant
Need more information? Ask your question to get an AI reply (Powered by our expertise)
0/70
EPSS Chart