CVE-2026-3237

UNKNOWN 0.0

CVSS Score

0.0

EPSS Score

0.0%

EPSS Percentile

0th

In affected versions of Octopus Server it was possible for a low privileged user to manipulate an API request to change the signing key expiration and revocation time frames via an API endpoint that had incorrect permission validation. It was not possible to expose the signing keys using this vulnerability.

Vendor	octopus deploy
Product	octopus server
Published	Mar 17, 2026
Last Updated	Mar 17, 2026

Stay Ahead of the Next One

Get instant alerts for octopus deploy octopus server

Be the first to know when new unknown vulnerabilities affecting octopus deploy octopus server are published — delivered to Slack, Telegram or Discord.

Get Free Alerts → Free · No credit card · 60 sec setup

Affected Versions

Octopus Deploy / Octopus Server

2023.0.0 < 2025.3.14731 2025.4.0 < 2025.4.10359 2026.1.0 < 2026.1.5571

References

NVD ↗ CVE.org ↗ EPSS Data ↗

advisories.octopus.com: https://advisories.octopus.com/post/2026/sa2026-03

Credits

This vulnerability was found by raihanadiarba