CVE-2026-4881
Awaiting Analysis Awaiting Analysis - Queue
Authenticated API Access Bypass in Octopus Server

Publication date: 2026-06-04

Last updated on: 2026-06-04

Assigner: Octopus Deploy

Description
In affected versions of Octopus Server, permissions were not checked correctly resulting in any authenticated user being able to make server level changes using a certain API endpoint despite receiving an error.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-06-04
Last Modified
2026-06-04
Generated
2026-06-24
AI Q&A
2026-06-04
EPSS Evaluated
2026-06-23
NVD
CVE-2026-4881
EUVD
EUVD-2026-34227
Affected Vendors & Products
Showing 10 associated CPEs
Vendor Product Version / Range
octopus server to 2025.4.10545 (exc)
octopus server to 2026.1.11313 (exc)
octopus server 2026.1.11481
octopus server From 2023.0.0 (inc) to 2025.1.0 (exc)
octopus server From 2024.0.0 (inc) to 2025.1.0 (exc)
octopus server From 2025.1.0 (inc) to 2025.4.0 (exc)
octopus server From 2025.2.0 (inc) to 2025.4.0 (exc)
octopus server From 2025.3.0 (inc) to 2025.4.0 (exc)
octopus server From 2025.4.0 (inc) to 2025.4.10545 (exc)
octopus server From 2026.1.0 (inc) to 2026.1.11313 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-862 The product does not perform an authorization check when an actor attempts to access a resource or perform an action.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Impact Analysis

This vulnerability allows any authenticated user to perform server-level changes without proper authorization. This could lead to unauthorized modifications of server configurations or operations, potentially compromising the integrity and security of the affected Octopus Server environment.

Mitigation Strategies

To mitigate CVE-2026-4881, it is recommended to upgrade Octopus Server to version 2026.1.11481 or later.

For users on older versions, applying the specific patches provided by Octopus Deploy is advised.

There are no known alternative mitigations, so immediate upgrade or patching is necessary to prevent potential exploitation.

Executive Summary

CVE-2026-4881 is a medium-severity vulnerability in Octopus Server versions prior to 2025.4.10545 and 2026.1.11313. It occurs because permissions were not checked correctly on a certain API endpoint, allowing any authenticated user to make unauthorized server-level changes despite receiving an error.

Compliance Impact

The provided information does not specify how this vulnerability affects compliance with common standards and regulations such as GDPR or HIPAA.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-4881. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart