CVE-2026-0704 | THREATINT

Description

In affected version of Octopus Deploy it was possible to remove files and/or contents of files on the host using an API endpoint. The field lacked validation which could potentially result in ways to circumvent expected workflows.

PUBLISHED Reserved 2026-01-08 | Published 2026-02-25 | Updated 2026-02-25 | Assigner Octopus

MEDIUM: 5.9CVSS:4.0/AV:N/AC:H/AT:P/PR:H/UI:N/VC:N/VI:H/VA:H/SC:N/SI:N/SA:N

Problem types

File Modification/Deletion Path Traversal

Product status

Default status

unaffected

2023.0.0 (custom) before 2025.3.14715

affected

2025.4.0 (custom) before 2025.4.10359

affected

Credits

This vulnerability was found by oub3ll4 finder

References

advisories.octopus.com/post/2026/sa2026-01

cve.org (CVE-2026-0704)

nvd.nist.gov (CVE-2026-0704)

Download JSON