CVE-2026-3237

EPSS 0.15%
Veröffentlicht 17.03.2026 06:37:59
Zuletzt bearbeitet 07.04.2026 01:00:20
Quelle security@octopus.com
CVE-Watchlists
Login
Unerledigt
Login

In affected versions of Octopus Server it was possible for a low privileged user to manipulate an API request to change the signing key expiration and revocation time frames via an API endpoint that had incorrect permission validation. It was not possible to expose the signing keys using this vulnerability.

Betroffene Produkte Warnungen 0 Metriken 3 CWE 1 Referenzen 4

NVD 3 VulnDex Vulnerability Enrichment 1

Daten sind bereitgestellt durch National Vulnerability Database (NVD)

Octopus ≫ Octopus Server Version < 2025.3.14731

Octopus ≫ Octopus Server Version >= 2025.4.51 < 2025.4.10359

Octopus ≫ Octopus Server Version >= 2026.1.675 < 2026.1.5571

VulnDex Vulnerability Enrichment

Diese Information steht angemeldeten Benutzern zur Verfügung.

Zu dieser CVE wurde keine Warnung gefunden.

EPSS Metriken
Typ	Quelle	Score	Percentile
EPSS	FIRST.org	0.15%	0.047

CVSS Metriken
Quelle	Base Score	Exploit Score	Impact Score	Vector String
nvd@nist.gov	4.3	2.8	1.4	CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N
security@octopus.com	2.3	0	0	CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

CWE-285 Improper Authorization

The product does not perform or incorrectly performs an authorization check when an actor attempts to access a resource or perform an action.

https://advisories.octopus.com/post/2026/sa2026-03

Vendor Advisory

https://nvd.nist.gov/vuln/detail/CVE-2026-3237

CVE Source (NVD)

https://cveawg.mitre.org/api/cve/CVE-2026-3237

CVE Source (JSON)

https://euvd.enisa.europa.eu/vulnerability/CVE-2026-3237

EUVD

Team-orientierte Vulnerability Management Plattform

Features der Plattform

CVE-2026-3237