Octopus Deploy Octopus Server vulnerabilities
60 known vulnerabilities affecting octopus_deploy/octopus_server.
Total CVEs
60
CISA KEV
0
Public exploits
0
Exploited in wild
0
Severity breakdown
CRITICAL4HIGH18MEDIUM34LOW4
Vulnerabilities
Page 1 of 3
CVE-2022-2572P3CRITICALCVSS 9.8≥ 3.5, < unspecified≥ unspecified, < 2022.1.3264+6 more2022-11-01
CVE-2022-2572 [CRITICAL] CWE-287 CVE-2022-2572: In affected versions of Octopus Server where access is managed by an external authentication provide
In affected versions of Octopus Server where access is managed by an external authentication provider, it was possible that the API key/keys of a disabled/deleted user were still valid after the access was revoked.
nvd
CVE-2025-0539P3HIGHCVSS 8.8≥ 2.6.0, < 2024.3.13071≥ 2024.4.401, < 2024.4.70652025-04-10
CVE-2025-0539 [HIGH] CWE-918 CVE-2025-0539: In affected Microsoft Windows versions of Octopus Deploy, the server can be coerced into sending ser
In affected Microsoft Windows versions of Octopus Deploy, the server can be coerced into sending server-side requests that contain authentication material allowing a suitably positioned attacker to compromise the account running Octopus Server and potentially the host infrastructure itself.
nvd
CVE-2026-0704P3CRITICALCVSS 9.1≥ 2023.0.0, < 2025.3.14715≥ 2025.4.0, < 2025.4.103592026-02-25
CVE-2026-0704 [CRITICAL] CWE-22 CVE-2026-0704: In affected version of Octopus Deploy it was possible to remove files and/or contents of files on th
In affected version of Octopus Deploy it was possible to remove files and/or contents of files on the host using an API endpoint. The field lacked validation which could potentially result in ways to circumvent expected workflows.
nvd
CVE-2022-2778P3CRITICALCVSS 9.8≥ 3.0, < unspecified≥ unspecified, < 2022.2.8277+4 more2022-09-30
CVE-2022-2778 [CRITICAL] CVE-2022-2778: In affected versions of Octopus Deploy it is possible to bypass rate limiting on login using null by
In affected versions of Octopus Deploy it is possible to bypass rate limiting on login using null bytes.
nvd
CVE-2022-4009P3HIGHCVSS 8.8≥ 3.0.19, < unspecified≥ unspecified, < 2022.2.8552+5 more2023-03-16
CVE-2022-4009 [HIGH] CWE-77 CVE-2022-4009: In affected versions of Octopus Deploy it is possible for a user to introduce code via offline packa
In affected versions of Octopus Deploy it is possible for a user to introduce code via offline package creation
nvd
CVE-2022-2782P3CRITICALCVSS 9.1≥ 0.9, < unspecified≥ unspecified, < 2022.2.8351+4 more2022-10-27
CVE-2022-2782 [CRITICAL] CWE-613 CVE-2022-2782: In affected versions of Octopus Server it is possible for a session token to be valid indefinitely d
In affected versions of Octopus Server it is possible for a session token to be valid indefinitely due to improper validation of the session token parameters.
nvd
CVE-2021-31820P3HIGHCVSS 7.5≥ 2018.8.2, < unspecified≥ unspecified, < 2020.6.5310+2 more2021-08-18
CVE-2021-31820 [HIGH] CWE-312 CVE-2021-31820: In Octopus Server after version 2018.8.2 if the Octopus Server Web Request Proxy is configured with
In Octopus Server after version 2018.8.2 if the Octopus Server Web Request Proxy is configured with authentication, the password is shown in plaintext in the UI.
nvd
CVE-2021-31816P3HIGHCVSS 7.5≥ 0.9, < unspecified≥ unspecified, < 2020.6.5146+2 more2021-07-08
CVE-2021-31816 [HIGH] CWE-312 CVE-2021-31816: When configuring Octopus Server if it is configured with an external SQL database, on initial config
When configuring Octopus Server if it is configured with an external SQL database, on initial configuration the database password is written to the OctopusServer.txt log file in plaintext.
nvd
CVE-2021-31817P3HIGHCVSS 7.5≥ 2020.6.4671, < unspecified≥ unspecified, < 2020.6.5146+2 more2021-07-08
CVE-2021-31817 [HIGH] CWE-312 CVE-2021-31817: When configuring Octopus Server if it is configured with an external SQL database, on initial config
When configuring Octopus Server if it is configured with an external SQL database, on initial configuration the database password is written to the OctopusServer.txt log file in plaintext.
nvd
CVE-2022-2780P3HIGHCVSS 8.1≥ 2021.2.994, < unspecified≥ unspecified, < 2022.1.3180+4 more2022-10-14
CVE-2022-2780 [HIGH] CWE-294 CVE-2022-2780: In affected versions of Octopus Server it is possible to use the Git Connectivity test function on t
In affected versions of Octopus Server it is possible to use the Git Connectivity test function on the VCS project to initiate an SMB request resulting in the potential for an NTLM relay attack.
nvd
CVE-2024-2975P3HIGHCVSS 7.5≥ 0.9, < 2023.4.8432≥ 2024.1.437, < 2024.1.12087+1 more2024-04-09
CVE-2024-2975 [HIGH] CWE-1223 CVE-2024-2975: A race condition was identified through which privilege escalation was possible in certain configura
A race condition was identified through which privilege escalation was possible in certain configurations.
nvd
CVE-2025-0525P3HIGHCVSS 7.5≥ 2020.6.4592, < 2024.3.13007≥ 2024.4.401, < 2024.4.69952025-02-11
CVE-2025-0525 [HIGH] CWE-200 CVE-2025-0525: In affected versions of Octopus Server the preview import feature could be leveraged to identify the
In affected versions of Octopus Server the preview import feature could be leveraged to identify the existence of a target file. This could provide an adversary with information that may aid in further attacks against the server.
nvd
CVE-2022-2013P3HIGHCVSS 7.5≥ 2022.1.1495, < unspecified≥ unspecified, < 2022.1.26472022-06-13
CVE-2022-2013 [HIGH] CVE-2022-2013: In Octopus Server after version 2022.1.1495 and before 2022.1.2647 if private spaces were enabled vi
In Octopus Server after version 2022.1.1495 and before 2022.1.2647 if private spaces were enabled via the experimental feature flag all new users would have access to the Script Console within their private space.
nvd
CVE-2022-1670P3HIGHCVSS 7.5≥ 0.9, < unspecified≥ unspecified, < 2021.3.12533+2 more2022-05-19
CVE-2022-1670 [HIGH] CVE-2022-1670: When generating a user invitation code in Octopus Server, the validity of this code can be set for a
When generating a user invitation code in Octopus Server, the validity of this code can be set for a specific number of users. It was possible to bypass this restriction of validity to create extra user accounts above the initial number of invited users.
nvd
CVE-2022-2721P3HIGHCVSS 7.5≥ 2022.2.6729, < unspecified≥ unspecified, < 2022.2.7965+2 more2022-11-25
CVE-2022-2721 [HIGH] CWE-532 CVE-2022-2721: In affected versions of Octopus Server it is possible for target discovery to print certain values m
In affected versions of Octopus Server it is possible for target discovery to print certain values marked as sensitive to log files in plaint-text in when verbose logging is enabled.
nvd
CVE-2023-1904P3HIGHCVSS 7.5≥ 2022.2.7897, < unspecified≥ unspecified, < 2023.1.11942+2 more2023-12-14
CVE-2023-1904 [HIGH] CWE-532 CVE-2023-1904: In affected versions of Octopus Server it is possible for the OpenID client secret to be logged in c
In affected versions of Octopus Server it is possible for the OpenID client secret to be logged in clear text during the configuration of Octopus Server.
nvd
CVE-2022-3460P3HIGHCVSS 7.5≥ 2018.3.1, < unspecified≥ unspecified, < 2021.3.13150+8 more2023-01-03
CVE-2022-3460 [HIGH] CWE-212 CVE-2022-3460: In affected versions of Octopus Deploy it is possible for certain types of sensitive variables to in
In affected versions of Octopus Deploy it is possible for certain types of sensitive variables to inadvertently become unmasked when viewed in variable preview.
nvd
CVE-2022-2883P3HIGHCVSS 7.5≥ 0.9, < unspecified≥ unspecified, < 2022.3.11043+2 more2023-02-22
CVE-2022-2883 [HIGH] CWE-434 CVE-2022-2883: In affected versions of Octopus Deploy it is possible to upload a zipbomb file as a task which resul
In affected versions of Octopus Deploy it is possible to upload a zipbomb file as a task which results in Denial of Service
nvd
CVE-2022-2075P3HIGHCVSS 7.5≥ 0.9, < unspecified≥ unspecified, < 2022.1.2894+4 more2022-08-19
CVE-2022-2075 [HIGH] CVE-2022-2075: In affected versions of Octopus Deploy it is possible to perform a Regex Denial of Service targeting
In affected versions of Octopus Deploy it is possible to perform a Regex Denial of Service targeting the build information request validation.
nvd
CVE-2022-2049P3HIGHCVSS 7.5≥ 0.9, < unspecified≥ unspecified, < 2022.1.2894+4 more2022-08-19
CVE-2022-2049 [HIGH] CVE-2022-2049: In affected versions of Octopus Deploy it is possible to perform a Regex Denial of Service via the p
In affected versions of Octopus Deploy it is possible to perform a Regex Denial of Service via the package upload function.
nvd
1 / 3Next →