cbcvebase.

Octopus Deploy Octopus Server vulnerabilities

60 known vulnerabilities affecting octopus_deploy/octopus_server.

Total CVEs
60
CISA KEV
0
Public exploits
0
Exploited in wild
0
Severity breakdown
CRITICAL4HIGH18MEDIUM34LOW4

Vulnerabilities

Page 3 of 3
CVE-2026-3237P4MEDIUMCVSS 4.3≥ 2023.0.0, < 2025.3.14731≥ 2025.4.0, < 2025.4.10359+1 more2026-03-17
CVE-2026-3237 [MEDIUM] CWE-285 CVE-2026-3237: In affected versions of Octopus Server it was possible for a low privileged user to manipulate an AP In affected versions of Octopus Server it was possible for a low privileged user to manipulate an API request to change the signing key expiration and revocation time frames via an API endpoint that had incorrect permission validation. It was not possible to expose the signing keys using this vulnerability.
nvd
CVE-2022-29890P4MEDIUMCVSS 6.1≥ 2019.7.0, < unspecified≥ unspecified, < 2021.3.13021+6 more2022-07-15
CVE-2022-29890 [MEDIUM] CWE-79 CVE-2022-29890: In affected versions of Octopus Server the help sidebar can be customized to include a Cross-Site Sc In affected versions of Octopus Server the help sidebar can be customized to include a Cross-Site Scripting payload in the support link.
nvd
CVE-2022-4898P4MEDIUMCVSS 5.4≥ 2019.7.0, < unspecified≥ unspecified, < 2022.2.8552+4 more2023-01-31
CVE-2022-4898 [MEDIUM] CWE-79 CVE-2022-4898: In affected versions of Octopus Server the help sidebar can be customized to include a Cross-Site Sc In affected versions of Octopus Server the help sidebar can be customized to include a Cross-Site Scripting payload in the support link. This was initially resolved in advisory 2022-07 however it was identified that the fix could be bypassed in certain circumstances. A different approach was taken to prevent the possibility of the support link being su
nvd
CVE-2024-4456P4MEDIUMCVSS 5.4≥ 3.0, < 2023.3.13361≥ 2023.4.296, < 2023.4.8338+1 more2024-05-08
CVE-2024-4456 [MEDIUM] CWE-79 CVE-2024-4456: In affected versions of Octopus Server with certain access levels it was possible to embed a Cross-S In affected versions of Octopus Server with certain access levels it was possible to embed a Cross-Site Scripting payload on the audit page.
nvd
CVE-2022-4870P4MEDIUMCVSS 5.3≥ 3.0, < unspecified≥ unspecified, < 2023.1.98792023-05-18
CVE-2022-4870 [MEDIUM] CWE-209 CVE-2022-4870: In affected versions of Octopus Deploy it is possible to discover network details via error message In affected versions of Octopus Deploy it is possible to discover network details via error message
nvd
CVE-2022-2783P4MEDIUMCVSS 5.3≥ 3.12.0, < unspecified≥ unspecified, < 2022.1.3154+4 more2022-10-06
CVE-2022-2783 [MEDIUM] CWE-352 CVE-2022-2783: In affected versions of Octopus Server it was identified that a session cookie could be used as the In affected versions of Octopus Server it was identified that a session cookie could be used as the CSRF token
nvd
CVE-2026-3236P4MEDIUMCVSS 4.3≥ 2023.0.0, < 2025.3.14761≥ 2025.4.0, < 2025.4.104092026-03-05
CVE-2026-3236 [MEDIUM] CWE-863 CVE-2026-3236: In affected versions of Octopus Server it was possible to create a new API key from an existing acce In affected versions of Octopus Server it was possible to create a new API key from an existing access token resulting in the new API key having a lifetime exceeding the original API key used to mint the access token.
nvd
CVE-2025-0513P4MEDIUMCVSS 5.4≥ 2024.3.164, < 2024.3.12985≥ 2024.4.401, < 2024.4.69622025-02-11
CVE-2025-0513 [MEDIUM] CWE-79 CVE-2025-0513: In affected versions of Octopus Server error messages were handled unsafely on the error page. If an In affected versions of Octopus Server error messages were handled unsafely on the error page. If an adversary could control any part of the error message they could embed code which may impact the user viewing the error message.
nvd
CVE-2025-0588P4MEDIUMCVSS 4.9≥ 2020.1.0, < 2024.3.13097≥ 2024.4.401, < 2024.4.70912025-02-11
CVE-2025-0588 [MEDIUM] CWE-113 CVE-2025-0588: In affected versions of Octopus Server it was possible for a user with sufficient access to set cust In affected versions of Octopus Server it was possible for a user with sufficient access to set custom headers in all server responses. By submitting a specifically crafted referrer header the user could ensure that all subsequent server responses would return 500 errors rendering the site mostly unusable. The user would be able to subsequently set an
nvd
CVE-2022-2346P4MEDIUMCVSS 4.3≥ 2019.4.0, < 2022.4.9997≥ 2023.1.0, < 2023.1.10235+1 more2023-08-02
CVE-2022-2346 [MEDIUM] CVE-2022-2346: In affected versions of Octopus Deploy it is possible for a low privileged guest user to interact wi In affected versions of Octopus Deploy it is possible for a low privileged guest user to interact with extension endpoints.
nvd
CVE-2022-2416P4MEDIUMCVSS 4.3≥ 2019.4.0, < 2022.4.9997≥ 2023.1.0, < 2023.1.10235+1 more2023-08-02
CVE-2022-2416 [MEDIUM] CWE-918 CVE-2022-2416: In affected versions of Octopus Deploy it is possible for a low privileged guest user to craft a req In affected versions of Octopus Deploy it is possible for a low privileged guest user to craft a request that allows enumeration/recon of an environment.
nvd
CVE-2022-1502P4MEDIUMCVSS 4.3v<2022-05-04
CVE-2022-1502 [MEDIUM] CVE-2022-1502: Permissions were not properly verified in the API on projects using version control in Git. This all Permissions were not properly verified in the API on projects using version control in Git. This allowed projects to be modified by users with only ProjectView permissions.
nvd
CVE-2023-4509P4MEDIUMCVSS 4.3≥ 2018.9, < 2023.4.296≥ 2024.1, < 2024.1.437+1 more2024-04-18
CVE-2023-4509 [MEDIUM] CWE-319 CVE-2023-4509: It is possible for an API key to be logged in clear text in the audit log file after an invalid logi It is possible for an API key to be logged in clear text in the audit log file after an invalid login attempt.
nvd
CVE-2022-2258P4MEDIUMCVSS 4.3≥ 2019.1.0, < unspecified≥ unspecified, < 2022.3.11098+4 more2023-03-13
CVE-2022-2258 [MEDIUM] CVE-2022-2258: In affected versions of Octopus Deploy it is possible for a user to view Tagsets without being expli In affected versions of Octopus Deploy it is possible for a user to view Tagsets without being explicitly assigned permissions to view these items
nvd
CVE-2022-2259P4MEDIUMCVSS 4.3≥ 2019.1.0, < unspecified≥ unspecified, < 2022.3.11098+4 more2023-03-13
CVE-2022-2259 [MEDIUM] CWE-284 CVE-2022-2259: In affected versions of Octopus Deploy it is possible for a user to view Workerpools without being e In affected versions of Octopus Deploy it is possible for a user to view Workerpools without being explicitly assigned permissions to view these items
nvd
CVE-2022-2760P4MEDIUMCVSS 4.3≥ 2019.5.7, < unspecified≥ unspecified, < 2022.1.3180+4 more2022-09-28
CVE-2022-2760 [MEDIUM] CWE-209 CVE-2022-2760: In affected versions of Octopus Deploy it is possible to reveal the Space ID of spaces that the user In affected versions of Octopus Deploy it is possible to reveal the Space ID of spaces that the user does not have access to view in an error message when a resource is part of another Space.
nvd
CVE-2024-4226P4LOWCVSS 3.5≥ 2022.2.5205, < 2022.2.7934≥ 2022.3.348, < 2022.3.91632024-04-30
CVE-2024-4226 [LOW] CWE-276 CVE-2024-4226: It was identified that in certain versions of Octopus Server, that a user created with no permission It was identified that in certain versions of Octopus Server, that a user created with no permissions could view all users, user roles and permissions. This functionality was removed in versions of Octopus Server after the fixed versions listed.
nvd
CVE-2024-4811P4LOWCVSS 2.2≥ 2023.1, < 2023.4.8608≥ 2024.1, < 2024.1.12759+1 more2024-07-25
CVE-2024-4811 [LOW] CWE-863 CVE-2024-4811: In affected versions of Octopus Server under certain conditions, a user with specific role assignmen In affected versions of Octopus Server under certain conditions, a user with specific role assignments can access restricted project artifacts.
nvd
CVE-2024-1656P4LOWCVSS 2.6≥ 2018.1.0, < 2024.2.91932024-09-11
CVE-2024-1656 [LOW] CVE-2024-1656: Affected versions of Octopus Server had a weak content security policy. Affected versions of Octopus Server had a weak content security policy.
nvd
CVE-2024-7998P4LOWCVSS 2.6≥ 2022.4.8332, < 2024.1.12931≥ 2024.1.437, < 2024.1.12931+1 more2024-08-21
CVE-2024-7998 [LOW] CWE-613 CVE-2024-7998: In affected versions of Octopus Server OIDC cookies were using the wrong expiration time which could In affected versions of Octopus Server OIDC cookies were using the wrong expiration time which could result in them using the maximum lifespan.
nvd
Octopus Deploy Octopus Server vulnerabilities | cvebase