Medium severity4.3NVD Advisory· Published Mar 17, 2026· Updated Apr 7, 2026

CVE-2026-3237

Description

In affected versions of Octopus Server it was possible for a low privileged user to manipulate an API request to change the signing key expiration and revocation time frames via an API endpoint that had incorrect permission validation. It was not possible to expose the signing keys using this vulnerability.

Affected products

Octopus/Octopus Server
cpe:2.3:a:octopus:octopus_server:*:*:*:*:*:*:*:*
Range: <2025.3.14731

Patches

No patches discovered yet.

Vulnerability mechanics

AI mechanics synthesis has not run for this CVE yet.

References

advisories.octopus.com/post/2026/sa2026-03nvdVendor Advisory

News mentions

No linked articles in our index yet.

cvss	0.280
epss	0.000
exploit	0.000
kev	0.000
patch	0.000
ransomware	0.000