High severityNVD Advisory· Published Sep 21, 2022· Updated May 28, 2025

Improper Privilege Management in octoprint/octoprint

CVE-2022-3068

Description

Improper Privilege Management in GitHub repository octoprint/octoprint prior to 1.8.3.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

A privilege escalation vulnerability in OctoPrint prior to 1.8.3 allows read-only users to manage plugins due to an incorrect permission role assignment.

Vulnerability

Overview

CVE-2022-3068 is an improper privilege management vulnerability in OctoPrint, a popular web interface for 3D printers. The flaw was introduced in version 1.8.0 when a wrong permission role was assigned to the PluginManager LIST permission. This misconfiguration allowed users with read-only or standard user roles to inherit the same rights as the MANAGE permission, effectively bypassing intended access controls [1][4].

Exploitation

An attacker with a low-privileged account (e.g., read-only or user group) can exploit this vulnerability without any additional authentication. The incorrect role assignment grants them the ability to perform plugin management actions that should be restricted to administrators. These actions include enabling or disabling plugins, uninstalling plugins, listing installed plugins with their details, retrieving plugin notices, and deleting orphaned plugin settings [4].

Impact

Successful exploitation allows an attacker to fully control the plugin ecosystem of an OctoPrint instance. This could lead to the installation of malicious plugins, disabling of security-related plugins, or extraction of sensitive information from plugin details. In a worst-case scenario, an attacker could achieve arbitrary code execution on the underlying system, compromising the 3D printer and potentially the network it resides on [1].

Mitigation

The vulnerability is fixed in OctoPrint version 1.8.3. Users are strongly advised to upgrade immediately. No workarounds are available for affected versions. The fix was implemented in commit ef95ef1c101b79394f134e8fce000e6bae046571, which corrects the permission role assignment [4].

References

AI Insight generated on May 21, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected packages

Versions sourced from the GitHub Security Advisory.

Package	Affected versions	Patched versions
OctoPrintPyPI	< 1.8.3	1.8.3

Affected products

ghsa-coords
pkg:pypi/octoprint
Range: < 1.8.3
octoprint/octoprint/octoprintv5
Range: unspecified

Patches

ef95ef1c101b

🔒️ Fix a wrong permission role

https://github.com/octoprint/octoprintGina HäußgeAug 24, 2022via ghsa

commit

1 file changed · +1 −1

src/octoprint/plugins/pluginmanager/__init__.py+1 −1 modified

@@ -228,7 +228,7 @@ def get_additional_permissions(self):
                 "name": "List plugins",
                 "description": gettext("Allows to list installed plugins."),
                 "default_groups": [READONLY_GROUP, USER_GROUP, ADMIN_GROUP],
-                "roles": ["manage"],
+                "roles": ["list"],
             },
             {
                 "key": "MANAGE",

Vulnerability mechanics

Generated on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

github.com/advisories/GHSA-2p75-q37p-f852ghsaADVISORY
nvd.nist.gov/vuln/detail/CVE-2022-3068ghsaADVISORY
github.com/octoprint/octoprint/commit/ef95ef1c101b79394f134e8fce000e6bae046571ghsax_refsource_MISCWEB
github.com/pypa/advisory-database/tree/main/vulns/octoprint/PYSEC-2022-283.yamlghsaWEB
huntr.dev/bounties/f45c24cb-9104-4c6e-a9e1-5c7e75e83884ghsax_refsource_CONFIRMWEB

News mentions

No linked articles in our index yet.

cvss	0.455
epss	0.000
exploit	0.000
kev	0.000
patch	-0.070
ransomware	0.000