cbcvebase.
CVE-2026-3237
published 2026-03-17

CVE-2026-3237: In affected versions of Octopus Server it was possible for a low privileged user to manipulate an API request to change the signing key expiration and…

PriorityP425medium4.3CVSS 3.1
AVNACLPRLUINSUCNILAN
EPSS
0.15%
4.8th percentile
In affected versions of Octopus Server it was possible for a low privileged user to manipulate an API request to change the signing key expiration and revocation time frames via an API endpoint that had incorrect permission validation. It was not possible to expose the signing keys using this vulnerability.

Affected

6 ranges
VendorProductVersion rangeFixed in
octopusoctopus_server< 2025.3.147312025.3.14731
octopusoctopus_server>= 2025.4.51 < 2025.4.103592025.4.10359
octopusoctopus_server>= 2026.1.675 < 2026.1.55712026.1.5571
octopus_deployoctopus_server>= 2023.0.0 < 2025.3.147312025.3.14731
octopus_deployoctopus_server>= 2025.4.0 < 2025.4.103592025.4.10359
octopus_deployoctopus_server>= 2026.1.0 < 2026.1.55712026.1.5571

CVSS provenance

nvdv3.14.3MEDIUMCVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N
nvdv4.02.3LOWCVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Stop checking back — get the weekly exploitation signal.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.