{"resultsPerPage":1,"startIndex":0,"totalResults":1,"format":"NVD_CVE","version":"2.0","timestamp":"2026-06-25T01:54:52.296","vulnerabilities":[{"cve":{"id":"CVE-2026-3237","sourceIdentifier":"security@octopus.com","published":"2026-03-17T07:16:03.610","lastModified":"2026-06-17T10:43:16.037","vulnStatus":"Analyzed","cveTags":[],"descriptions":[{"lang":"en","value":"In affected versions of Octopus Server it was possible for a low privileged user to manipulate an API request to change the signing key expiration and revocation time frames via an API endpoint that had incorrect permission validation. It was not possible to expose the signing keys using this vulnerability."},{"lang":"es","value":"En las versiones afectadas de Octopus Server era posible para un usuario con bajos privilegios manipular una solicitud de API para cambiar los plazos de caducidad y revocación de la clave de firma a través de un endpoint de API que tenía una validación de permisos incorrecta. No era posible exponer las claves de firma utilizando esta vulnerabilidad."}],"affected":[{"source":"security@octopus.com","affectedData":[{"vendor":"Octopus Deploy","product":"Octopus Server","defaultStatus":"unaffected","platforms":["Windows"],"versions":[{"version":"2023.0.0","lessThan":"2025.3.14731","versionType":"custom","status":"affected"},{"version":"2025.4.0","lessThan":"2025.4.10359","versionType":"custom","status":"affected"},{"version":"2026.1.0","lessThan":"2026.1.5571","versionType":"custom","status":"affected"}]}]}],"metrics":{"cvssMetricV40":[{"source":"security@octopus.com","type":"Secondary","cvssData":{"version":"4.0","vectorString":"CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X","baseScore":2.3,"baseSeverity":"LOW","attackVector":"NETWORK","attackComplexity":"LOW","attackRequirements":"PRESENT","privilegesRequired":"LOW","userInteraction":"NONE","vulnConfidentialityImpact":"NONE","vulnIntegrityImpact":"LOW","vulnAvailabilityImpact":"NONE","subConfidentialityImpact":"NONE","subIntegrityImpact":"NONE","subAvailabilityImpact":"NONE","exploitMaturity":"NOT_DEFINED","confidentialityRequirement":"NOT_DEFINED","integrityRequirement":"NOT_DEFINED","availabilityRequirement":"NOT_DEFINED","modifiedAttackVector":"NOT_DEFINED","modifiedAttackComplexity":"NOT_DEFINED","modifiedAttackRequirements":"NOT_DEFINED","modifiedPrivilegesRequired":"NOT_DEFINED","modifiedUserInteraction":"NOT_DEFINED","modifiedVulnConfidentialityImpact":"NOT_DEFINED","modifiedVulnIntegrityImpact":"NOT_DEFINED","modifiedVulnAvailabilityImpact":"NOT_DEFINED","modifiedSubConfidentialityImpact":"NOT_DEFINED","modifiedSubIntegrityImpact":"NOT_DEFINED","modifiedSubAvailabilityImpact":"NOT_DEFINED","Safety":"NOT_DEFINED","Automatable":"NOT_DEFINED","Recovery":"NOT_DEFINED","valueDensity":"NOT_DEFINED","vulnerabilityResponseEffort":"NOT_DEFINED","providerUrgency":"NOT_DEFINED"}}],"cvssMetricV31":[{"source":"nvd@nist.gov","type":"Primary","cvssData":{"version":"3.1","vectorString":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N","baseScore":4.3,"baseSeverity":"MEDIUM","attackVector":"NETWORK","attackComplexity":"LOW","privilegesRequired":"LOW","userInteraction":"NONE","scope":"UNCHANGED","confidentialityImpact":"NONE","integrityImpact":"LOW","availabilityImpact":"NONE"},"exploitabilityScore":2.8,"impactScore":1.4}],"ssvcV203":[{"source":"134c704f-9b21-4f2e-91b3-4a467353bcc0","ssvcData":{"timestamp":"2026-03-17T13:20:19.497726Z","id":"CVE-2026-3237","options":[{"exploitation":"none"},{"automatable":"no"},{"technicalImpact":"partial"}],"role":"CISA Coordinator","version":"2.0.3"}}]},"weaknesses":[{"source":"134c704f-9b21-4f2e-91b3-4a467353bcc0","type":"Secondary","description":[{"lang":"en","value":"CWE-285"}]}],"configurations":[{"nodes":[{"operator":"OR","negate":false,"cpeMatch":[{"vulnerable":true,"criteria":"cpe:2.3:a:octopus:octopus_server:*:*:*:*:*:*:*:*","versionEndExcluding":"2025.3.14731","matchCriteriaId":"33159148-02D1-4BF7-9757-9BE7EDE5812F"},{"vulnerable":true,"criteria":"cpe:2.3:a:octopus:octopus_server:*:*:*:*:*:*:*:*","versionStartIncluding":"2025.4.51","versionEndExcluding":"2025.4.10359","matchCriteriaId":"DDD68927-7049-4FF9-A9B1-EDEA0DF967B5"},{"vulnerable":true,"criteria":"cpe:2.3:a:octopus:octopus_server:*:*:*:*:*:*:*:*","versionStartIncluding":"2026.1.675","versionEndExcluding":"2026.1.5571","matchCriteriaId":"B52D0F4C-0A73-4692-B1D7-3335509A2E93"}]}]}],"references":[{"url":"https://advisories.octopus.com/post/2026/sa2026-03","source":"security@octopus.com","tags":["Vendor Advisory"]}]}}]}