CVE-2026-3237 - Vulnerability Details - OpenCVE

In affected versions of Octopus Server it was possible for a low privileged user to manipulate an API request to change the signing key expiration and revocation time frames via an API endpoint that had incorrect permission validation. It was not possible to expose the signing keys using this vulnerability.

Attack Vector Network

Attack Complexity Low

Privileges Required Low

Attack Requirements Present

User Interaction None

Vulnerable System Confidentiality Impact None

Vulnerable System Integrity Impact Low

Vulnerable System Availability Impact None

Subsequent System Confidentiality Impact None

Subsequent System Integrity Impact None

Subsequent System Availability Impact None

No CVSS v3.1

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

Exploitation none

Automatable no

Technical Impact partial

Vendors	Products
Octopus	Octopus Server

No data.

No data.

References

Link	Providers
https://advisories.octopus.com/post/2026/sa2026-03

History

Tue, 17 Mar 2026 14:15:00 +0000

Type	Values Removed	Values Added
Weaknesses		CWE-285
Metrics		ssvc `{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}`

Tue, 17 Mar 2026 10:00:00 +0000

Type	Values Removed	Values Added
First Time appeared		Octopus Octopus octopus Server
Vendors & Products		Octopus Octopus octopus Server

Tue, 17 Mar 2026 07:15:00 +0000

Type	Values Removed	Values Added
Description		In affected versions of Octopus Server it was possible for a low privileged user to manipulate an API request to change the signing key expiration and revocation time frames via an API endpoint that had incorrect permission validation. It was not possible to expose the signing keys using this vulnerability.
References		https://advisories.octopus.com/post/2026/sa2026-03
Metrics		cvssV4_0 `{'score': 2.3, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N'}`

MITRE

Status: PUBLISHED

Assigner: Octopus

Published: 2026-03-17T06:37:59.369Z

Updated: 2026-03-17T13:20:24.029Z

Reserved: 2026-02-26T00:26:01.068Z

Link: CVE-2026-3237

Vulnrichment

Updated: 2026-03-17T13:20:14.956Z

NVD

Status : Awaiting Analysis

Published: 2026-03-17T07:16:03.610

Modified: 2026-03-17T14:20:01.670

Link: CVE-2026-3237

Redhat

No data.

{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-3237", "assignerOrgId": "6f4f8c89-ef06-4bae-a2a5-6734ddf76272", "state": "PUBLISHED", "assignerShortName": "Octopus", "dateReserved": "2026-02-26T00:26:01.068Z", "datePublished": "2026-03-17T06:37:59.369Z", "dateUpdated": "2026-03-17T13:20:24.029Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "6f4f8c89-ef06-4bae-a2a5-6734ddf76272", "shortName": "Octopus", "dateUpdated": "2026-03-17T06:37:59.369Z"}, "problemTypes": [{"descriptions": [{"lang": "en", "description": "Low-Privilege User Can Modify Global Signing Key Settings"}]}], "affected": [{"vendor": "Octopus Deploy", "product": "Octopus Server", "platforms": ["Windows"], "versions": [{"status": "affected", "version": "2023.0.0", "lessThan": "2025.3.14731", "versionType": "custom"}, {"status": "affected", "version": "2025.4.0", "lessThan": "2025.4.10359", "versionType": "custom"}, {"status": "affected", "version": "2026.1.0", "lessThan": "2026.1.5571", "versionType": "custom"}], "defaultStatus": "unaffected"}], "descriptions": [{"lang": "en", "value": "In affected versions of Octopus Server it was possible for a low privileged user to manipulate an API request to change the signing key expiration and revocation time frames via an API endpoint that had incorrect permission validation. It was not possible to expose the signing keys using this vulnerability.", "supportingMedia": [{"type": "text/html", "base64": false, "value": "In affected versions of Octopus Server it was possible for a low privileged user to manipulate an API request to change the signing key expiration and revocation time frames via an API endpoint that had incorrect permission validation. It was not possible to expose the signing keys using this vulnerability."}]}], "references": [{"url": "https://advisories.octopus.com/post/2026/sa2026-03"}], "metrics": [{"format": "CVSS", "scenarios": [{"lang": "en", "value": "GENERAL"}], "cvssV4_0": {"attackVector": "NETWORK", "attackComplexity": "LOW", "attackRequirements": "PRESENT", "privilegesRequired": "LOW", "userInteraction": "NONE", "vulnConfidentialityImpact": "NONE", "subConfidentialityImpact": "NONE", "vulnIntegrityImpact": "LOW", "subIntegrityImpact": "NONE", "vulnAvailabilityImpact": "NONE", "subAvailabilityImpact": "NONE", "exploitMaturity": "NOT_DEFINED", "Safety": "NOT_DEFINED", "Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "valueDensity": "NOT_DEFINED", "vulnerabilityResponseEffort": "NOT_DEFINED", "providerUrgency": "NOT_DEFINED", "version": "4.0", "baseSeverity": "LOW", "baseScore": 2.3, "vectorString": "CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N"}}], "credits": [{"lang": "en", "value": "This vulnerability was found by raihanadiarba", "type": "finder"}], "source": {"discovery": "EXTERNAL"}, "x_generator": {"engine": "Vulnogram 0.5.0"}}, "adp": [{"problemTypes": [{"descriptions": [{"type": "CWE", "cweId": "CWE-285", "lang": "en", "description": "CWE-285 Improper Authorization"}]}], "metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-03-17T13:20:19.497726Z", "id": "CVE-2026-3237", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-17T13:20:24.029Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-3237", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-03-17T13:20:19.497726Z"}}}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-285", "description": "CWE-285 Improper Authorization"}]}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-17T13:20:14.956Z"}}], "cna": {"source": {"discovery": "EXTERNAL"}, "credits": [{"lang": "en", "type": "finder", "value": "This vulnerability was found by raihanadiarba"}], "metrics": [{"format": "CVSS", "cvssV4_0": {"Safety": "NOT_DEFINED", "version": "4.0", "Recovery": "NOT_DEFINED", "baseScore": 2.3, "Automatable": "NOT_DEFINED", "attackVector": "NETWORK", "baseSeverity": "LOW", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N", "exploitMaturity": "NOT_DEFINED", "providerUrgency": "NOT_DEFINED", "userInteraction": "NONE", "attackComplexity": "LOW", "attackRequirements": "PRESENT", "privilegesRequired": "LOW", "subIntegrityImpact": "NONE", "vulnIntegrityImpact": "LOW", "subAvailabilityImpact": "NONE", "vulnAvailabilityImpact": "NONE", "subConfidentialityImpact": "NONE", "vulnConfidentialityImpact": "NONE", "vulnerabilityResponseEffort": "NOT_DEFINED"}, "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "affected": [{"vendor": "Octopus Deploy", "product": "Octopus Server", "versions": [{"status": "affected", "version": "2023.0.0", "lessThan": "2025.3.14731", "versionType": "custom"}, {"status": "affected", "version": "2025.4.0", "lessThan": "2025.4.10359", "versionType": "custom"}, {"status": "affected", "version": "2026.1.0", "lessThan": "2026.1.5571", "versionType": "custom"}], "platforms": ["Windows"], "defaultStatus": "unaffected"}], "references": [{"url": "https://advisories.octopus.com/post/2026/sa2026-03"}], "x_generator": {"engine": "Vulnogram 0.5.0"}, "descriptions": [{"lang": "en", "value": "In affected versions of Octopus Server it was possible for a low privileged user to manipulate an API request to change the signing key expiration and revocation time frames via an API endpoint that had incorrect permission validation. It was not possible to expose the signing keys using this vulnerability.", "supportingMedia": [{"type": "text/html", "value": "In affected versions of Octopus Server it was possible for a low privileged user to manipulate an API request to change the signing key expiration and revocation time frames via an API endpoint that had incorrect permission validation. It was not possible to expose the signing keys using this vulnerability.", "base64": false}]}], "problemTypes": [{"descriptions": [{"lang": "en", "description": "Low-Privilege User Can Modify Global Signing Key Settings"}]}], "providerMetadata": {"orgId": "6f4f8c89-ef06-4bae-a2a5-6734ddf76272", "shortName": "Octopus", "dateUpdated": "2026-03-17T06:37:59.369Z"}}}, "cveMetadata": {"cveId": "CVE-2026-3237", "state": "PUBLISHED", "dateUpdated": "2026-03-17T13:20:24.029Z", "dateReserved": "2026-02-26T00:26:01.068Z", "assignerOrgId": "6f4f8c89-ef06-4bae-a2a5-6734ddf76272", "datePublished": "2026-03-17T06:37:59.369Z", "assignerShortName": "Octopus"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "In affected versions of Octopus Server it was possible for a low privileged user to manipulate an API request to change the signing key expiration and revocation time frames via an API endpoint that had incorrect permission validation. It was not possible to expose the signing keys using this vulnerability."}], "id": "CVE-2026-3237", "lastModified": "2026-03-17T14:20:01.670", "metrics": {"cvssMetricV40": [{"cvssData": {"Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "Safety": "NOT_DEFINED", "attackComplexity": "LOW", "attackRequirements": "PRESENT", "attackVector": "NETWORK", "availabilityRequirement": "NOT_DEFINED", "baseScore": 2.3, "baseSeverity": "LOW", "confidentialityRequirement": "NOT_DEFINED", "exploitMaturity": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "privilegesRequired": "LOW", "providerUrgency": "NOT_DEFINED", "subAvailabilityImpact": "NONE", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "userInteraction": "NONE", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "version": "4.0", "vulnAvailabilityImpact": "NONE", "vulnConfidentialityImpact": "NONE", "vulnIntegrityImpact": "LOW", "vulnerabilityResponseEffort": "NOT_DEFINED"}, "source": "security@octopus.com", "type": "Secondary"}]}, "published": "2026-03-17T07:16:03.610", "references": [{"source": "security@octopus.com", "url": "https://advisories.octopus.com/post/2026/sa2026-03"}], "sourceIdentifier": "security@octopus.com", "vulnStatus": "Awaiting Analysis", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-285"}], "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary"}]}