CVE-2026-4881 | THREATINT

Description

In affected versions of Octopus Server, permissions were not checked correctly resulting in any authenticated user being able to make server level changes using a certain API endpoint despite receiving an error.

PUBLISHED Reserved 2026-03-26 | Published 2026-06-04 | Updated 2026-06-04 | Assigner Octopus

MEDIUM: 6.0CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N

Problem types

Insufficient permission checks on an API endpoint

Product status

Default status

unaffected

2023.0.0 (custom) before 2025.4.10523

affected

2025.4.0 (custom) before 2025.4.10545

affected

2026.1.0 (custom) before 2026.1.11313

affected

Credits

This vulnerability was found by MononcleMich finder

References

advisories.octopus.com/post/2026/sa2026-04

cve.org (CVE-2026-4881)

nvd.nist.gov (CVE-2026-4881)

Download JSON