Description
In affected version of Octopus Deploy it was possible to remove files and/or contents of files on the host using an API endpoint. The field lacked validation which could potentially result in ways to circumvent expected workflows.
Published: 2026-02-25
Score: 5.9 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Unauthorized File Deletion
Action: Assess Impact
AI Analysis

Impact

An API endpoint in Octopus Server lacks proper input validation, enabling an actor with access to the endpoint to delete files or overwrite the contents of files on the host system. The flaw allows removal or modification of any file that the Octopus process can write to, potentially bypassing intended operational workflows.

Affected Systems

Octopus Deploy Octopus Server. The vulnerability applies to any deployed instance of this product; the specific affected versions are not disclosed in the advisory.

Risk and Exploitability

The CVSS score of 5.9 denotes medium severity, and the EPSS score of less than 1 % indicates a very low probability of active exploitation in the field. The vulnerability is not listed in CISA’s KEV catalog. An attacker would need to reach the Octopus Server API endpoint; after reaching that endpoint the lack of path validation permits deletion of any file residing on the host under the Octopus process’s permissions.

Generated by OpenCVE AI on April 18, 2026 at 17:42 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the most recent Octopus Server patch or upgrade to a version that removes the unvalidated file‑deletion endpoint.
  • Configure network controls to expose the Octopus Server API only to trusted hosts or subnets.
  • Enforce strict authentication and authorization checks for API access to ensure only privileged users can reach the endpoint.
  • Limit the file system permissions granted to the Octopus process so that it cannot write to critical directories.
  • Monitor Octopus Server logs for unexpected file deletion or modification events to detect misuse.

Generated by OpenCVE AI on April 18, 2026 at 17:42 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Sat, 18 Apr 2026 18:00:00 +0000

Type Values Removed Values Added
Title Octopus Server API Endpoint Allows Unvalidated File Removal

Fri, 27 Feb 2026 15:30:00 +0000

Type Values Removed Values Added
Weaknesses CWE-22

Fri, 27 Feb 2026 03:30:00 +0000

Type Values Removed Values Added
First Time appeared Linux
Linux linux Kernel
Microsoft
Microsoft windows
Weaknesses NVD-CWE-noinfo
CPEs cpe:2.3:a:octopus:octopus_server:*:*:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:-:*:*:*:*:*:*:*
cpe:2.3:o:microsoft:windows:-:*:*:*:*:*:*:*
Vendors & Products Linux
Linux linux Kernel
Microsoft
Microsoft windows
Metrics cvssV3_1

{'score': 9.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:H'}

Thu, 26 Feb 2026 13:30:00 +0000

Type Values Removed Values Added
First Time appeared Octopus
Octopus octopus Server
Vendors & Products Octopus
Octopus octopus Server

Wed, 25 Feb 2026 17:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Wed, 25 Feb 2026 12:30:00 +0000

Type Values Removed Values Added
Description In affected version of Octopus Deploy it was possible to remove files and/or contents of files on the host using an API endpoint. The field lacked validation which could potentially result in ways to circumvent expected workflows.
References
Metrics cvssV4_0

{'score': 5.9, 'vector': 'CVSS:4.0/AV:N/AC:H/AT:P/PR:H/UI:N/VC:N/VI:H/VA:H/SC:N/SI:N/SA:N'}

Subscriptions

Linux Linux Kernel
Microsoft Windows
Octopus Octopus Server
cve-icon MITRE

Status: PUBLISHED

Assigner: Octopus

Published:

Updated: 2026-02-27T14:48:18.334Z

Reserved: 2026-01-08T01:25:18.708Z

Link: CVE-2026-0704

cve-icon Vulnrichment

Updated: 2026-02-25T16:07:23.787Z

cve-icon NVD

Status : Modified

Published: 2026-02-25T13:16:04.337

Modified: 2026-02-27T15:16:26.893

Link: CVE-2026-0704

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-18T17:45:06Z

Weaknesses