Authentication Flaw in Octopus Server Allows Unauthorized Server Changes
CVE-2026-4881

6MEDIUM

Key Information:

Vendor
CVE Published:
4 June 2026

What is CVE-2026-4881?

In certain versions of Octopus Server, a security vulnerability exists due to improper permission checks. This flaw allows any authenticated user to perform server-level changes via a specific API endpoint without the necessary clearance, even when an error is encountered. Malicious actors could exploit this oversight to modify settings and configurations, leading to potential disruption or compromise of the server's integrity.

Affected Version(s)

Octopus Server Windows 2023.0.0 < 2025.4.10523

Octopus Server Windows 2025.4.0 < 2025.4.10545

Octopus Server Windows 2026.1.0 < 2026.1.11313

References

CVSS V4

Score:
6
Severity:
MEDIUM
Confidentiality:
None
Integrity:
None
Availability:
High
Attack Vector:
Network
Attack Complexity:
Low
Attack Required:
Physical
Privileges Required:
Undefined
User Interaction:
None

Timeline

  • Vulnerability published

  • Vulnerability Reserved

Credit

This vulnerability was found by MononcleMich
.