cbcvebase.

Octopus Server vulnerabilities

64 known vulnerabilities affecting octopus/octopus_server.

Total CVEs
64
CISA KEV
0
Public exploits
1
Exploited in wild
0
Severity breakdown
CRITICAL6HIGH18MEDIUM36LOW4

Vulnerabilities

Page 1 of 4
CVE-2018-18850P2HIGHCVSS 8.8PoC≥ 2018.8.0, ≤ 2018.8.12≥ 2018.9.0, < 2018.9.12018-10-31
CVE-2018-18850 [HIGH] CVE-2018-18850: In Octopus Deploy 2018.8.0 through 2018.9.x before 2018.9.1, an authenticated user with permission t In Octopus Deploy 2018.8.0 through 2018.9.x before 2018.9.1, an authenticated user with permission to modify deployment processes could upload a maliciously crafted YAML configuration, potentially allowing for remote execution of arbitrary code, running in the same context as the Octopus Server (for self-hosted installations by default, SYSTEM).
nvd
CVE-2024-9194P2CRITICALCVSS 9.8≥ 2024.1.437, < 2024.1.13038≥ 2024.2.101, < 2024.2.9482+1 more2024-09-30
CVE-2024-9194 [CRITICAL] CWE-89 CVE-2024-9194: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability i Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Linux and Microsoft Windows Octopus Server on Windows, Linux allows SQL Injection.This issue affects Octopus Server: from 2024.1.0 before 2024.1.13038, from 2024.2.0 before 2024.2.9482, from 2024.3.0 before 2024.3.12766.
nvd
CVE-2022-2572P3CRITICALCVSS 9.8≥ 3.5, < 2022.1.3264≥ 2022.2.6729, < 2022.2.8277+2 more2022-11-01
CVE-2022-2572 [CRITICAL] CWE-287 CVE-2022-2572: In affected versions of Octopus Server where access is managed by an external authentication provide In affected versions of Octopus Server where access is managed by an external authentication provider, it was possible that the API key/keys of a disabled/deleted user were still valid after the access was revoked.
nvd
CVE-2025-0539P3HIGHCVSS 8.8≥ 2.6.0, < 2024.3.13071≥ 2024.4.401, < 2024.4.70652025-04-10
CVE-2025-0539 [HIGH] CWE-918 CVE-2025-0539: In affected Microsoft Windows versions of Octopus Deploy, the server can be coerced into sending ser In affected Microsoft Windows versions of Octopus Deploy, the server can be coerced into sending server-side requests that contain authentication material allowing a suitably positioned attacker to compromise the account running Octopus Server and potentially the host infrastructure itself.
nvd
CVE-2026-0704P3CRITICALCVSS 9.1≥ 2023.1.4189, < 2025.3.147152026-02-25
CVE-2026-0704 [CRITICAL] CWE-22 CVE-2026-0704: In affected version of Octopus Deploy it was possible to remove files and/or contents of files on th In affected version of Octopus Deploy it was possible to remove files and/or contents of files on the host using an API endpoint. The field lacked validation which could potentially result in ways to circumvent expected workflows.
nvd
CVE-2022-2778P3CRITICALCVSS 9.8≥ 3.0, < 2022.2.8277≥ 2022.3.348, < 2022.3.10405+1 more2022-09-30
CVE-2022-2778 [CRITICAL] CVE-2022-2778: In affected versions of Octopus Deploy it is possible to bypass rate limiting on login using null by In affected versions of Octopus Deploy it is possible to bypass rate limiting on login using null bytes.
nvd
CVE-2022-4009P3HIGHCVSS 8.8≥ 3.0.19, < 2022.2.8552≥ 2022.3.348, < 2022.3.10750+1 more2023-03-16
CVE-2022-4009 [HIGH] CWE-77 CVE-2022-4009: In affected versions of Octopus Deploy it is possible for a user to introduce code via offline packa In affected versions of Octopus Deploy it is possible for a user to introduce code via offline package creation
nvd
CVE-2022-2782P3CRITICALCVSS 9.1fixed in 2022.2.8351≥ 2022.3.0, < 2022.3.10586+1 more2022-10-27
CVE-2022-2782 [CRITICAL] CWE-613 CVE-2022-2782: In affected versions of Octopus Server it is possible for a session token to be valid indefinitely d In affected versions of Octopus Server it is possible for a session token to be valid indefinitely due to improper validation of the session token parameters.
nvd
CVE-2021-31820P3HIGHCVSS 7.5fixed in 2020.6.5310≥ 2021.1.0, < 2021.1.76222021-08-18
CVE-2021-31820 [HIGH] CWE-312 CVE-2021-31820: In Octopus Server after version 2018.8.2 if the Octopus Server Web Request Proxy is configured with In Octopus Server after version 2018.8.2 if the Octopus Server Web Request Proxy is configured with authentication, the password is shown in plaintext in the UI.
nvd
CVE-2022-2780P3HIGHCVSS 8.1≥ 2021.2.994, < 2022.1.3180≥ 2022.2.6729, < 2022.2.7965+1 more2022-10-14
CVE-2022-2780 [HIGH] CWE-294 CVE-2022-2780: In affected versions of Octopus Server it is possible to use the Git Connectivity test function on t In affected versions of Octopus Server it is possible to use the Git Connectivity test function on the VCS project to initiate an SMB request resulting in the potential for an NTLM relay attack.
nvd
CVE-2024-2975P3HIGHCVSS 7.5≥ 0.9, < 2023.4.8432≥ 2024.1.437, < 2024.1.12087+1 more2024-04-09
CVE-2024-2975 [HIGH] CWE-1223 CVE-2024-2975: A race condition was identified through which privilege escalation was possible in certain configura A race condition was identified through which privilege escalation was possible in certain configurations.
nvd
CVE-2018-11320P3CRITICALCVSS 9.8≥ 2018.4.4, ≤ 2018.5.12018-05-21
CVE-2018-11320 [CRITICAL] CWE-532 CVE-2018-11320: In Octopus Deploy 2018.4.4 through 2018.5.1, Octopus variables that are sourced from the target do n In Octopus Deploy 2018.4.4 through 2018.5.1, Octopus variables that are sourced from the target do not have sensitive values obfuscated in the deployment logs.
nvd
CVE-2025-0525P3HIGHCVSS 7.5≥ 2020.6.4592, < 2024.3.13007≥ 2024.4.401, < 2024.4.69952025-02-11
CVE-2025-0525 [HIGH] CWE-200 CVE-2025-0525: In affected versions of Octopus Server the preview import feature could be leveraged to identify the In affected versions of Octopus Server the preview import feature could be leveraged to identify the existence of a target file. This could provide an adversary with information that may aid in further attacks against the server.
nvd
CVE-2022-1670P3HIGHCVSS 7.5≥ 0.9, < 2021.3.12533≥ 2022.1.0, < 2022.1.532022-05-19
CVE-2022-1670 [HIGH] CVE-2022-1670: When generating a user invitation code in Octopus Server, the validity of this code can be set for a When generating a user invitation code in Octopus Server, the validity of this code can be set for a specific number of users. It was possible to bypass this restriction of validity to create extra user accounts above the initial number of invited users.
nvd
CVE-2022-2721P3HIGHCVSS 7.5≥ 2022.2.6729, < 2022.2.7965≥ 2022.3.348, < 2022.3.91632022-11-25
CVE-2022-2721 [HIGH] CWE-532 CVE-2022-2721: In affected versions of Octopus Server it is possible for target discovery to print certain values m In affected versions of Octopus Server it is possible for target discovery to print certain values marked as sensitive to log files in plaint-text in when verbose logging is enabled.
nvd
CVE-2023-1904P3HIGHCVSS 7.5≥ 2022.1.2121, < 2023.1.11942≥ 2023.2.2028, < 2023.2.13151+1 more2023-12-14
CVE-2023-1904 [HIGH] CWE-532 CVE-2023-1904: In affected versions of Octopus Server it is possible for the OpenID client secret to be logged in c In affected versions of Octopus Server it is possible for the OpenID client secret to be logged in clear text during the configuration of Octopus Server.
nvd
CVE-2019-11632P3HIGHCVSS 8.1≥ 2019.4.0, ≤ 2019.4.52019-05-01
CVE-2019-11632 [HIGH] CWE-269 CVE-2019-11632: In Octopus Deploy 2019.1.0 through 2019.3.1 and 2019.4.0 through 2019.4.5, an authenticated user wit In Octopus Deploy 2019.1.0 through 2019.3.1 and 2019.4.0 through 2019.4.5, an authenticated user with the VariableViewUnscoped or VariableEditUnscoped permission scoped to a specific project could view or edit unscoped variables from a different project. (These permissions are only used in custom User Roles and do not affect built in User Roles.)
nvd
CVE-2022-3460P3HIGHCVSS 7.5≥ 2018.1.0, < 2022.3.10750≥ 2022.4, < 2022.4.80632023-01-03
CVE-2022-3460 [HIGH] CWE-212 CVE-2022-3460: In affected versions of Octopus Deploy it is possible for certain types of sensitive variables to in In affected versions of Octopus Deploy it is possible for certain types of sensitive variables to inadvertently become unmasked when viewed in variable preview.
nvd
CVE-2022-2883P3HIGHCVSS 7.5fixed in 2022.3.11043≥ 2022.4.0, < 2022.4.84012023-02-22
CVE-2022-2883 [HIGH] CWE-434 CVE-2022-2883: In affected versions of Octopus Deploy it is possible to upload a zipbomb file as a task which resul In affected versions of Octopus Deploy it is possible to upload a zipbomb file as a task which results in Denial of Service
nvd
CVE-2018-12089P3HIGHCVSS 7.5≥ 2018.5.1, ≤ 2018.5.72018-06-11
CVE-2018-12089 [HIGH] CWE-200 CVE-2018-12089: In Octopus Deploy version 2018.5.1 to 2018.5.7, a user with Task View is able to view a password for In Octopus Deploy version 2018.5.1 to 2018.5.7, a user with Task View is able to view a password for a Service Fabric Cluster, when the Service Fabric Cluster target is configured in Azure Active Directory security mode and a deployment is executed with OctopusPrintVariables set to True. This is fixed in 2018.6.0.
nvd
Octopus Server vulnerabilities | cvebase