CVE-2026-4881
Analyzed Analyzed - Analysis Complete

Authenticated API Access Bypass in Octopus Server

Vulnerability report for CVE-2026-4881, including description, CVSS score, EPSS score, affected products, exploitability, helpful resources, and attack-flow context.

Publication date: 2026-06-04

Last updated on: 2026-06-30

Assigner: Octopus Deploy

Description

In affected versions of Octopus Server, permissions were not checked correctly resulting in any authenticated user being able to make server level changes using a certain API endpoint despite receiving an error.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2026-06-04
Last Modified
2026-06-30
Generated
2026-07-14
AI Q&A
2026-06-04
EPSS Evaluated
2026-07-13
NVD
EUVD

Affected Vendors & Products

Showing 2 associated CPEs
Vendor Product Version / Range
octopus octopus_server From 2023.1.4189 (inc) to 2025.4.10545 (exc)
octopus octopus_server From 2026.1.675 (inc) to 2026.1.11313 (exc)

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-862 The product does not perform an authorization check when an actor attempts to access a resource or perform an action.

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Executive Summary

CVE-2026-4881 is a medium-severity vulnerability in Octopus Server versions prior to 2025.4.10545 and 2026.1.11313. It occurs because permissions were not checked correctly on a certain API endpoint, allowing any authenticated user to make unauthorized server-level changes despite receiving an error.

Impact Analysis

This vulnerability allows any authenticated user to perform server-level changes without proper authorization. This could lead to unauthorized modifications of server configurations or operations, potentially compromising the integrity and security of the affected Octopus Server environment.

Compliance Impact

The provided information does not specify how this vulnerability affects compliance with common standards and regulations such as GDPR or HIPAA.

Mitigation Strategies

To mitigate CVE-2026-4881, it is recommended to upgrade Octopus Server to version 2026.1.11481 or later.

For users on older versions, applying the specific patches provided by Octopus Deploy is advised.

There are no known alternative mitigations, so immediate upgrade or patching is necessary to prevent potential exploitation.

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-4881. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart