Authentication Flaw in Octopus Server Allows Unauthorized Server Changes
CVE-2026-4881
6MEDIUM
What is CVE-2026-4881?
In certain versions of Octopus Server, a security vulnerability exists due to improper permission checks. This flaw allows any authenticated user to perform server-level changes via a specific API endpoint without the necessary clearance, even when an error is encountered. Malicious actors could exploit this oversight to modify settings and configurations, leading to potential disruption or compromise of the server's integrity.
Affected Version(s)
Octopus Server Windows 2023.0.0 < 2025.4.10523
Octopus Server Windows 2025.4.0 < 2025.4.10545
Octopus Server Windows 2026.1.0 < 2026.1.11313
References
CVSS V4
Score:
6
Severity:
MEDIUM
Confidentiality:
None
Integrity:
None
Availability:
High
Attack Vector:
Network
Attack Complexity:
Low
Attack Required:
Physical
Privileges Required:
Undefined
User Interaction:
None
Timeline
Vulnerability published
Vulnerability Reserved
Credit
This vulnerability was found by MononcleMich
