CVE-2026-3237

EUVD-2026-12544
In affected versions of Octopus Server it was possible for a low privileged user to manipulate an API request to change the signing key expiration and revocation time frames via an API endpoint that had incorrect permission validation. It was not possible to expose the signing keys using this vulnerability.
ProviderTypeBase ScoreAtk. VectorAtk. ComplexityPriv. RequiredVector
NISTPrimary
4.3 MEDIUM
NETWORK
LOW
LOW
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N
Base Score
CVSS 3.x
EPSS Score
Percentile: 10%
Affected Products (NVD)
VendorProductVersion
octopusoctopus_server
𝑥
< 2025.3.14731
octopusoctopus_server
2025.4.51 ≤
𝑥
< 2025.4.10359
octopusoctopus_server
2026.1.675 ≤
𝑥
< 2026.1.5571
𝑥
= Vulnerable software versions
Common Weakness Enumeration
References
https://advisories.octopus.com/post/2026/sa2026-03