CVE-2026-4881

Vulnerability

In affected versions of Octopus Server, permissions were not checked correctly, allowing any authenticated user to make server-level changes using a specific API endpoint, even though an error might be returned. The affected versions include all 2023.x, 2024.x, 2025.1.x, 2025.2.x, 2025.3.x, 2025.4.x versions before 2025.4.10545, and 2026.1.x versions before 2026.1.11313 [1].

Exploitation

An attacker with authenticated access to Octopus Server can exploit this vulnerability by making a request to a specific API endpoint. The vulnerability lies in the insufficient permission checks on this endpoint, enabling unauthorized server-level modifications despite potential error messages [1].

Impact

Successful exploitation allows an authenticated attacker to make unauthorized server-level changes. This could lead to a compromise of the server's configuration or state, depending on the specific API endpoint targeted [1].

Mitigation

Octopus Deploy has released patches for this vulnerability. Customers should upgrade to Octopus Server version 2025.4.10545 or 2026.1.11313, or later versions such as 2026.1.11481, to fix this issue. The recommended action is to upgrade to the latest version available from the Octopus Deploy downloads page [1].