Description
In affected versions of Octopus Server it was possible to create a new API key from an existing access token resulting in the new API key having a lifetime exceeding the original API key used to mint the access token.
Published: 2026-03-05
Score: 2.3 Low
EPSS: < 1% Very Low
KEV: No
Impact: Privilege Escalation via API key lifetime abuse
Action: Apply Patch
AI Analysis

Impact

The vulnerability allows an attacker to create a new API key from an existing access token in Octopus Server, with the new key inheriting a lifetime that exceeds that of the original token. This effectively extends an authenticated session’s validity beyond its intended duration, enabling an attacker to perform unauthorized actions for a longer period. The weakness is a classic example of improper privilege escalation due to inadequate access control, classified as CWE‑863.

Affected Systems

Octopus Deploy’s Octopus Server product is affected; no specific product versions are listed, so all currently running installations require verification.

Risk and Exploitability

The CVSS score of 2.3 indicates low severity, and the EPSS score of less than 1% suggests exploitation is unlikely in the wild. However, the attack vector is inferred to be user‑initiated; any individual or process that possesses a valid access token can exploit the flaw to generate a longer‑lived key. The vulnerability is not listed in the CISA KEV catalog, which further lowers the immediacy of risk. Nevertheless, once a key with an extended lifetime is created, the attacker gains prolonged access to the system’s APIs, which can lead to privilege escalation and potential data exposure.

Generated by OpenCVE AI on April 16, 2026 at 12:24 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Octopus Server to a version that includes the fix for the API key lifetime flaw.
  • Revoke any API keys that were created using the affected access token before applying the patch and regenerate new keys with appropriate lifetimes.
  • Review and tighten token lifecycle policies to enforce the intended maximum key lifetime and restrict token sharing among users.

Generated by OpenCVE AI on April 16, 2026 at 12:24 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Thu, 16 Apr 2026 12:45:00 +0000

Type Values Removed Values Added
Title API Key Lifetime Abuse via Access Token in Octopus Server

Fri, 13 Mar 2026 01:45:00 +0000

Type Values Removed Values Added
CPEs cpe:2.3:a:octopus:octopus_server:*:*:*:*:*:*:*:*
Metrics cvssV3_1

{'score': 4.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N'}

Fri, 06 Mar 2026 15:30:00 +0000

Type Values Removed Values Added
First Time appeared Octopus
Octopus octopus Server
Vendors & Products Octopus
Octopus octopus Server

Thu, 05 Mar 2026 10:45:00 +0000

Type Values Removed Values Added
Description In affected versions of Octopus Server it was possible to create a new API key from an existing access token resulting in the new API key having a lifetime exceeding the original API key used to mint the access token.
Weaknesses CWE-863
References
Metrics cvssV4_0

{'score': 2.3, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N'}

Subscriptions

Octopus Octopus Server
cve-icon MITRE

Status: PUBLISHED

Assigner: Octopus

Published:

Updated: 2026-03-05T14:17:07.392Z

Reserved: 2026-02-26T00:25:55.210Z

Link: CVE-2026-3236

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Analyzed

Published: 2026-03-05T11:15:54.400

Modified: 2026-03-13T01:30:06.483

Link: CVE-2026-3236

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-16T12:30:06Z

Weaknesses