Description
In affected versions of Octopus Server it was possible for a low privileged user to manipulate an API request to change the signing key expiration and revocation time frames via an API endpoint that had incorrect permission validation. It was not possible to expose the signing keys using this vulnerability.
Published: 2026-03-17
Score: 2.3 Low
EPSS: < 1% Very Low
KEV: No
Impact: Alter Signing Key Expiration
Action: Apply Patch
AI Analysis

Impact

Octopus Deploy’s Octopus Server contains a flaw in an API endpoint that incorrectly validates permissions. An authenticated user with low privileges can send a crafted request to change the expiration and revocation dates of signing keys used by the system. This does not expose the signing keys themselves, but it allows the attacker to shorten or extend the valid life of those keys, potentially disrupting the integrity of secure communications within the deployment environment.

Affected Systems

The vulnerability affects the Octopus Deploy Octopus Server product. Specific version information is not provided in the CVE data; therefore it is unclear which releases contain the issue. Administrators should consult the vendor advisory or support resources to determine whether their server instance is affected.

Risk and Exploitability

The CVSS score of 2.3 indicates a low severity impact. The EPSS score of less than 1% suggests that exploitation is unlikely. The vulnerability is not listed in the CISA KEV catalog. Exploitation requires authenticated access to the API, so the attack vector is likely limited to users with API privileges. Even though the risk is reduced compared to more severe weaknesses, the ability to manipulate key lifetimes can undermine the trust model of the deployment pipeline and should be addressed promptly.

Generated by OpenCVE AI on April 7, 2026 at 10:23 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the vendor‑released patch or upgrade to a non‑vulnerable Octopus Server version.
  • Verify that signing key expiration settings match the intended policy after remediation.
  • Monitor API usage for anomalous changes to key expiration values.
  • If a patch is not yet available, restrict the affected API endpoint to privileged users or temporarily disable it until a fix is applied.

Generated by OpenCVE AI on April 7, 2026 at 10:23 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 08 Apr 2026 20:15:00 +0000

Type Values Removed Values Added
Title Octopus Server API endpoint allows low‑privileged users to alter signing key expiration

Tue, 07 Apr 2026 07:15:00 +0000

Type Values Removed Values Added
CPEs cpe:2.3:a:octopus:octopus_server:*:*:*:*:*:*:*:*
Metrics cvssV3_1

{'score': 4.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N'}

Tue, 24 Mar 2026 13:30:00 +0000

Type Values Removed Values Added
Title Octopus Server API endpoint allows low‑privileged users to alter signing key expiration

Tue, 17 Mar 2026 14:15:00 +0000

Type Values Removed Values Added
Weaknesses CWE-285
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Tue, 17 Mar 2026 10:00:00 +0000

Type Values Removed Values Added
First Time appeared Octopus
Octopus octopus Server
Vendors & Products Octopus
Octopus octopus Server

Tue, 17 Mar 2026 07:15:00 +0000

Type Values Removed Values Added
Description In affected versions of Octopus Server it was possible for a low privileged user to manipulate an API request to change the signing key expiration and revocation time frames via an API endpoint that had incorrect permission validation. It was not possible to expose the signing keys using this vulnerability.
References
Metrics cvssV4_0

{'score': 2.3, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N'}

Subscriptions

Octopus Octopus Server
cve-icon MITRE

Status: PUBLISHED

Assigner: Octopus

Published:

Updated: 2026-03-17T13:20:24.029Z

Reserved: 2026-02-26T00:26:01.068Z

Link: CVE-2026-3237

cve-icon Vulnrichment

Updated: 2026-03-17T13:20:14.956Z

cve-icon NVD

Status : Analyzed

Published: 2026-03-17T07:16:03.610

Modified: 2026-04-07T01:00:20.390

Link: CVE-2026-3237

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-08T20:01:32Z

Weaknesses