{"api_version":"1","generated_at":"2026-04-22T21:17:25+00:00","cve":"CVE-2026-3237","urls":{"html":"https://cve.report/CVE-2026-3237","api":"https://cve.report/api/cve/CVE-2026-3237.json","docs":"https://cve.report/api","cve_org":"https://www.cve.org/CVERecord?id=CVE-2026-3237","nvd":"https://nvd.nist.gov/vuln/detail/CVE-2026-3237"},"summary":{"title":"CVE-2026-3237","description":"In affected versions of Octopus Server it was possible for a low privileged user to manipulate an API request to change the signing key expiration and revocation time frames via an API endpoint that had incorrect permission validation. It was not possible to expose the signing keys using this vulnerability.","state":"PUBLISHED","assigner":"Octopus","published_at":"2026-03-17 07:16:03","updated_at":"2026-04-07 01:00:20"},"problem_types":["CWE-285","Low-Privilege User Can Modify Global Signing Key Settings","CWE-285 CWE-285 Improper Authorization"],"metrics":[{"version":"4.0","source":"security@octopus.com","type":"Secondary","score":"2.3","severity":"LOW","vector":"CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X","data":{"version":"4.0","vectorString":"CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X","baseScore":2.3,"baseSeverity":"LOW","attackVector":"NETWORK","attackComplexity":"LOW","attackRequirements":"PRESENT","privilegesRequired":"LOW","userInteraction":"NONE","vulnConfidentialityImpact":"NONE","vulnIntegrityImpact":"LOW","vulnAvailabilityImpact":"NONE","subConfidentialityImpact":"NONE","subIntegrityImpact":"NONE","subAvailabilityImpact":"NONE","exploitMaturity":"NOT_DEFINED","confidentialityRequirement":"NOT_DEFINED","integrityRequirement":"NOT_DEFINED","availabilityRequirement":"NOT_DEFINED","modifiedAttackVector":"NOT_DEFINED","modifiedAttackComplexity":"NOT_DEFINED","modifiedAttackRequirements":"NOT_DEFINED","modifiedPrivilegesRequired":"NOT_DEFINED","modifiedUserInteraction":"NOT_DEFINED","modifiedVulnConfidentialityImpact":"NOT_DEFINED","modifiedVulnIntegrityImpact":"NOT_DEFINED","modifiedVulnAvailabilityImpact":"NOT_DEFINED","modifiedSubConfidentialityImpact":"NOT_DEFINED","modifiedSubIntegrityImpact":"NOT_DEFINED","modifiedSubAvailabilityImpact":"NOT_DEFINED","Safety":"NOT_DEFINED","Automatable":"NOT_DEFINED","Recovery":"NOT_DEFINED","valueDensity":"NOT_DEFINED","vulnerabilityResponseEffort":"NOT_DEFINED","providerUrgency":"NOT_DEFINED"}},{"version":"4.0","source":"CNA","type":"CVSS","score":"2.3","severity":"LOW","vector":"CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N","data":{"Automatable":"NOT_DEFINED","Recovery":"NOT_DEFINED","Safety":"NOT_DEFINED","attackComplexity":"LOW","attackRequirements":"PRESENT","attackVector":"NETWORK","baseScore":2.3,"baseSeverity":"LOW","exploitMaturity":"NOT_DEFINED","privilegesRequired":"LOW","providerUrgency":"NOT_DEFINED","subAvailabilityImpact":"NONE","subConfidentialityImpact":"NONE","subIntegrityImpact":"NONE","userInteraction":"NONE","valueDensity":"NOT_DEFINED","vectorString":"CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N","version":"4.0","vulnAvailabilityImpact":"NONE","vulnConfidentialityImpact":"NONE","vulnIntegrityImpact":"LOW","vulnerabilityResponseEffort":"NOT_DEFINED"}},{"version":"3.1","source":"nvd@nist.gov","type":"Primary","score":"4.3","severity":"MEDIUM","vector":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N","data":{"version":"3.1","vectorString":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N","baseScore":4.3,"baseSeverity":"MEDIUM","attackVector":"NETWORK","attackComplexity":"LOW","privilegesRequired":"LOW","userInteraction":"NONE","scope":"UNCHANGED","confidentialityImpact":"NONE","integrityImpact":"LOW","availabilityImpact":"NONE"}}],"references":[{"url":"https://advisories.octopus.com/post/2026/sa2026-03","name":"https://advisories.octopus.com/post/2026/sa2026-03","refsource":"security@octopus.com","tags":["Vendor Advisory"],"title":"","mime":"","httpstatus":"","archivestatus":"0"},{"url":"https://www.cve.org/CVERecord?id=CVE-2026-3237","name":"CVE Program record","refsource":"CVE.ORG","tags":["canonical"]},{"url":"https://nvd.nist.gov/vuln/detail/CVE-2026-3237","name":"NVD vulnerability detail","refsource":"NVD","tags":["canonical","analysis"]}],"affected":[{"source":"CNA","vendor":"Octopus Deploy","product":"Octopus Server","version":"affected 2023.0.0 2025.3.14731 custom","platforms":["Windows"]},{"source":"CNA","vendor":"Octopus Deploy","product":"Octopus Server","version":"affected 2025.4.0 2025.4.10359 custom","platforms":["Windows"]},{"source":"CNA","vendor":"Octopus Deploy","product":"Octopus Server","version":"affected 2026.1.0 2026.1.5571 custom","platforms":["Windows"]}],"timeline":[],"solutions":[],"workarounds":[],"exploits":[],"credits":[{"source":"CNA","value":"This vulnerability was found by raihanadiarba","lang":"en"}],"nvd_cpes":[{"cve_year":"2026","cve_id":"3237","vulnerable":"1","versionEndIncluding":"","cpe1":"cpe","cpe2":"2.3","cpe3":"a","cpe4":"octopus","cpe5":"octopus_server","cpe6":"*","cpe7":"*","cpe8":"*","cpe9":"*","cpe10":"*","cpe11":"*","cpe12":"*","cpe13":"*"}],"vendor_comments":[],"enrichments":{"kev":null,"epss":null,"legacy_qids":[]},"source_records":{"cve_program":{"containers":{"adp":[{"metrics":[{"other":{"content":{"id":"CVE-2026-3237","options":[{"Exploitation":"none"},{"Automatable":"no"},{"Technical Impact":"partial"}],"role":"CISA Coordinator","timestamp":"2026-03-17T13:20:19.497726Z","version":"2.0.3"},"type":"ssvc"}}],"problemTypes":[{"descriptions":[{"cweId":"CWE-285","description":"CWE-285 Improper Authorization","lang":"en","type":"CWE"}]}],"providerMetadata":{"dateUpdated":"2026-03-17T13:20:24.029Z","orgId":"134c704f-9b21-4f2e-91b3-4a467353bcc0","shortName":"CISA-ADP"},"title":"CISA ADP Vulnrichment"}],"cna":{"affected":[{"defaultStatus":"unaffected","platforms":["Windows"],"product":"Octopus Server","vendor":"Octopus Deploy","versions":[{"lessThan":"2025.3.14731","status":"affected","version":"2023.0.0","versionType":"custom"},{"lessThan":"2025.4.10359","status":"affected","version":"2025.4.0","versionType":"custom"},{"lessThan":"2026.1.5571","status":"affected","version":"2026.1.0","versionType":"custom"}]}],"credits":[{"lang":"en","type":"finder","value":"This vulnerability was found by raihanadiarba"}],"descriptions":[{"lang":"en","supportingMedia":[{"base64":false,"type":"text/html","value":"In affected versions of Octopus Server it was possible for a low privileged user to manipulate an API request to change the signing key expiration and revocation time frames via an API endpoint that had incorrect permission validation. It was not possible to expose the signing keys using this vulnerability."}],"value":"In affected versions of Octopus Server it was possible for a low privileged user to manipulate an API request to change the signing key expiration and revocation time frames via an API endpoint that had incorrect permission validation. It was not possible to expose the signing keys using this vulnerability."}],"metrics":[{"cvssV4_0":{"Automatable":"NOT_DEFINED","Recovery":"NOT_DEFINED","Safety":"NOT_DEFINED","attackComplexity":"LOW","attackRequirements":"PRESENT","attackVector":"NETWORK","baseScore":2.3,"baseSeverity":"LOW","exploitMaturity":"NOT_DEFINED","privilegesRequired":"LOW","providerUrgency":"NOT_DEFINED","subAvailabilityImpact":"NONE","subConfidentialityImpact":"NONE","subIntegrityImpact":"NONE","userInteraction":"NONE","valueDensity":"NOT_DEFINED","vectorString":"CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N","version":"4.0","vulnAvailabilityImpact":"NONE","vulnConfidentialityImpact":"NONE","vulnIntegrityImpact":"LOW","vulnerabilityResponseEffort":"NOT_DEFINED"},"format":"CVSS","scenarios":[{"lang":"en","value":"GENERAL"}]}],"problemTypes":[{"descriptions":[{"description":"Low-Privilege User Can Modify Global Signing Key Settings","lang":"en"}]}],"providerMetadata":{"dateUpdated":"2026-03-17T06:37:59.369Z","orgId":"6f4f8c89-ef06-4bae-a2a5-6734ddf76272","shortName":"Octopus"},"references":[{"url":"https://advisories.octopus.com/post/2026/sa2026-03"}],"source":{"discovery":"EXTERNAL"},"x_generator":{"engine":"Vulnogram 0.5.0"}}},"cveMetadata":{"assignerOrgId":"6f4f8c89-ef06-4bae-a2a5-6734ddf76272","assignerShortName":"Octopus","cveId":"CVE-2026-3237","datePublished":"2026-03-17T06:37:59.369Z","dateReserved":"2026-02-26T00:26:01.068Z","dateUpdated":"2026-03-17T13:20:24.029Z","state":"PUBLISHED"},"dataType":"CVE_RECORD","dataVersion":"5.2"},"nvd":{"publishedDate":"2026-03-17 07:16:03","lastModifiedDate":"2026-04-07 01:00:20","problem_types":["CWE-285","Low-Privilege User Can Modify Global Signing Key Settings","CWE-285 CWE-285 Improper Authorization"],"metrics":{"cvssMetricV40":[{"source":"security@octopus.com","type":"Secondary","cvssData":{"version":"4.0","vectorString":"CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X","baseScore":2.3,"baseSeverity":"LOW","attackVector":"NETWORK","attackComplexity":"LOW","attackRequirements":"PRESENT","privilegesRequired":"LOW","userInteraction":"NONE","vulnConfidentialityImpact":"NONE","vulnIntegrityImpact":"LOW","vulnAvailabilityImpact":"NONE","subConfidentialityImpact":"NONE","subIntegrityImpact":"NONE","subAvailabilityImpact":"NONE","exploitMaturity":"NOT_DEFINED","confidentialityRequirement":"NOT_DEFINED","integrityRequirement":"NOT_DEFINED","availabilityRequirement":"NOT_DEFINED","modifiedAttackVector":"NOT_DEFINED","modifiedAttackComplexity":"NOT_DEFINED","modifiedAttackRequirements":"NOT_DEFINED","modifiedPrivilegesRequired":"NOT_DEFINED","modifiedUserInteraction":"NOT_DEFINED","modifiedVulnConfidentialityImpact":"NOT_DEFINED","modifiedVulnIntegrityImpact":"NOT_DEFINED","modifiedVulnAvailabilityImpact":"NOT_DEFINED","modifiedSubConfidentialityImpact":"NOT_DEFINED","modifiedSubIntegrityImpact":"NOT_DEFINED","modifiedSubAvailabilityImpact":"NOT_DEFINED","Safety":"NOT_DEFINED","Automatable":"NOT_DEFINED","Recovery":"NOT_DEFINED","valueDensity":"NOT_DEFINED","vulnerabilityResponseEffort":"NOT_DEFINED","providerUrgency":"NOT_DEFINED"}}],"cvssMetricV31":[{"source":"nvd@nist.gov","type":"Primary","cvssData":{"version":"3.1","vectorString":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N","baseScore":4.3,"baseSeverity":"MEDIUM","attackVector":"NETWORK","attackComplexity":"LOW","privilegesRequired":"LOW","userInteraction":"NONE","scope":"UNCHANGED","confidentialityImpact":"NONE","integrityImpact":"LOW","availabilityImpact":"NONE"},"exploitabilityScore":2.8,"impactScore":1.4}]},"configurations":[{"nodes":[{"operator":"OR","negate":false,"cpeMatch":[{"vulnerable":true,"criteria":"cpe:2.3:a:octopus:octopus_server:*:*:*:*:*:*:*:*","versionEndExcluding":"2025.3.14731","matchCriteriaId":"33159148-02D1-4BF7-9757-9BE7EDE5812F"},{"vulnerable":true,"criteria":"cpe:2.3:a:octopus:octopus_server:*:*:*:*:*:*:*:*","versionStartIncluding":"2025.4.51","versionEndExcluding":"2025.4.10359","matchCriteriaId":"DDD68927-7049-4FF9-A9B1-EDEA0DF967B5"},{"vulnerable":true,"criteria":"cpe:2.3:a:octopus:octopus_server:*:*:*:*:*:*:*:*","versionStartIncluding":"2026.1.675","versionEndExcluding":"2026.1.5571","matchCriteriaId":"B52D0F4C-0A73-4692-B1D7-3335509A2E93"}]}]}]},"legacy_mitre":{"record":{"CveYear":"2026","CveId":"3237","Ordinal":"1","Title":"CVE-2026-3237","CVE":"CVE-2026-3237","Year":"2026"},"notes":[{"CveYear":"2026","CveId":"3237","Ordinal":"1","NoteData":"In affected versions of Octopus Server it was possible for a low privileged user to manipulate an API request to change the signing key expiration and revocation time frames via an API endpoint that had incorrect permission validation. It was not possible to expose the signing keys using this vulnerability.","Type":"Description","Title":"CVE-2026-3237"}]}}}