CVE-2025-0539
published 2025-04-10CVE-2025-0539: In affected Microsoft Windows versions of Octopus Deploy, the server can be coerced into sending server-side requests that contain authentication material…
PriorityP356high8.8CVSS 3.1
AVNACLPRLUINSUCHIHAH
EPSS
0.30%
21.7th percentile
In affected Microsoft Windows versions of Octopus Deploy, the server can be coerced into sending server-side requests that contain authentication material allowing a suitably positioned attacker to compromise the account running Octopus Server and potentially the host infrastructure itself.
Affected
4 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| octopus | octopus_server | >= 2.6.0 < 2024.3.13071 | 2024.3.13071 |
| octopus | octopus_server | >= 2024.4.401 < 2024.4.7065 | 2024.4.7065 |
| octopus_deploy | octopus_server | >= 2.6.0 < 2024.3.13071 | 2024.3.13071 |
| octopus_deploy | octopus_server | >= 2024.4.401 < 2024.4.7065 | 2024.4.7065 |
CVSS provenance
nvdv3.18.8HIGHCVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
nvdv4.05.9MEDIUMCVSS:4.0/AV:N/AC:H/AT:P/PR:L/UI:P/VC:L/VI:H/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
No detection rules found.
No public exploits indexed.
Wiz
CVE-2026-3237 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 5.9
CVE-2026-3237 [MEDIUM] CVE-2026-3237 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-3237 :
Octopus Deploy vulnerability analysis and mitigation
In affected versions of Octopus Server it was possible for a low privileged user to manipulate an API request to change the signing key expiration and revocation time frames via an API endpoint that had incorrect permission validation. It was not possible to expose the signing keys using this vulnerability.
Source : NVD
## 2.3
Score
Published March 17, 2026
Severity LOW
CNA Score 2.3
Affected Technologies
Octopus Deploy
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 8.9
Exploitation Probability (EPSS) N/A
Affected packages and libraries
cpe:2.3:a:octopus:octopus_server
Sources
NVD
Windows Severity MEDIUM Has
Wiz
CVE-2026-3236 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 5.9
CVE-2026-3236 [MEDIUM] CVE-2026-3236 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-3236 :
Octopus Deploy vulnerability analysis and mitigation
In affected versions of Octopus Server it was possible to create a new API key from an existing access token resulting in the new API key having a lifetime exceeding the original API key used to mint the access token.
Source : NVD
## 2.3
Score
Published March 5, 2026
Severity LOW
CNA Score 2.3
Affected Technologies
Octopus Deploy
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 10.5
Exploitation Probability (EPSS) N/A
Affected packages and libraries
cpe:2.3:a:octopus:octopus_server
Sources
Windows Severity MEDIUM Has Fix Added at: Mar 08, 2026
Windows Severity MEDIUM Has Fix Added at: Mar 13, 2026
## Get a C
Wiz
CVE-2026-0704 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 5.9
CVE-2026-0704 [MEDIUM] CVE-2026-0704 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-0704 :
Octopus Deploy vulnerability analysis and mitigation
In affected version of Octopus Deploy it was possible to remove files and/or contents of files on the host using an API endpoint. The field lacked validation which could potentially result in ways to circumvent expected workflows.
Source : NVD
## 5.9
Score
Published February 25, 2026
Severity MEDIUM
CNA Score 5.9
Affected Technologies
Octopus Deploy
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 24
Exploitation Probability (EPSS) 0.1
Affected packages and libraries
cpe:2.3:a:octopus:octopus_server
Sources
Windows Severity CRITICAL Has Fix Added at: Mar 02, 2026
Windows Severity CRITICAL Has Fix Added at: Mar
2025-04-10
Published