{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-3236", "assignerOrgId": "6f4f8c89-ef06-4bae-a2a5-6734ddf76272", "state": "PUBLISHED", "assignerShortName": "Octopus", "dateReserved": "2026-02-26T00:25:55.210Z", "datePublished": "2026-03-05T10:37:03.736Z", "dateUpdated": "2026-03-05T14:17:07.392Z"}, "containers": {"cna": {"affected": [{"defaultStatus": "unaffected", "platforms": ["Windows", "Linux"], "product": "Octopus Server", "vendor": "Octopus Deploy", "versions": [{"lessThan": "2025.3.14761", "status": "affected", "version": "2023.0.0", "versionType": "custom"}, {"lessThan": "2025.4.10409", "status": "affected", "version": "2025.4.0", "versionType": "custom"}]}], "credits": [{"lang": "en", "type": "finder", "value": "This vulnerability was found by nguyennb"}], "descriptions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "In affected versions of Octopus Server it was possible to create a new API key from an existing access token resulting in the new API key having a lifetime exceeding the original API key used to mint the access token."}], "value": "In affected versions of Octopus Server it was possible to create a new API key from an existing access token resulting in the new API key having a lifetime exceeding the original API key used to mint the access token."}], "metrics": [{"cvssV4_0": {"Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "Safety": "NOT_DEFINED", "attackComplexity": "LOW", "attackRequirements": "PRESENT", "attackVector": "NETWORK", "baseScore": 2.3, "baseSeverity": "LOW", "exploitMaturity": "NOT_DEFINED", "privilegesRequired": "LOW", "providerUrgency": "NOT_DEFINED", "subAvailabilityImpact": "NONE", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "userInteraction": "NONE", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N", "version": "4.0", "vulnAvailabilityImpact": "LOW", "vulnConfidentialityImpact": "LOW", "vulnIntegrityImpact": "LOW", "vulnerabilityResponseEffort": "NOT_DEFINED"}, "format": "CVSS", "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "problemTypes": [{"descriptions": [{"cweId": "CWE-863", "description": "CWE-863 Incorrect Authorization", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"orgId": "6f4f8c89-ef06-4bae-a2a5-6734ddf76272", "shortName": "Octopus", "dateUpdated": "2026-03-05T10:37:03.736Z"}, "references": [{"url": "https://advisories.octopus.com/post/2026/sa2026-02"}], "source": {"discovery": "EXTERNAL"}, "x_generator": {"engine": "Vulnogram 0.5.0"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-03-05T14:16:57.713650Z", "id": "CVE-2026-3236", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-05T14:17:07.392Z"}}]}}

{}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:octopus:octopus_server:*:*:*:*:*:*:*:*", "matchCriteriaId": "8B609A0F-1C05-47BB-BA71-2A549AF037F8", "versionEndExcluding": "2025.3.14761", "versionStartIncluding": "2023.1.4189", "vulnerable": true}, {"criteria": "cpe:2.3:a:octopus:octopus_server:*:*:*:*:*:*:*:*", "matchCriteriaId": "6C328575-4BD6-4E45-B5D8-FBC4BCDD7E66", "versionEndExcluding": "2025.4.10409", "versionStartIncluding": "2025.4.51", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "In affected versions of Octopus Server it was possible to create a new API key from an existing access token resulting in the new API key having a lifetime exceeding the original API key used to mint the access token."}, {"lang": "es", "value": "En las versiones afectadas de Octopus Server era posible crear una nueva clave de API a partir de un token de acceso existente, lo que resultaba en que la nueva clave de API tuviera una vida \u00fatil que exced\u00eda la clave de API original utilizada para generar el token de acceso."}], "id": "CVE-2026-3236", "lastModified": "2026-03-13T01:30:06.483", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 4.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "LOW", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 1.4, "source": "nvd@nist.gov", "type": "Primary"}], "cvssMetricV40": [{"cvssData": {"Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "Safety": "NOT_DEFINED", "attackComplexity": "LOW", "attackRequirements": "PRESENT", "attackVector": "NETWORK", "availabilityRequirement": "NOT_DEFINED", "baseScore": 2.3, "baseSeverity": "LOW", "confidentialityRequirement": "NOT_DEFINED", "exploitMaturity": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "privilegesRequired": "LOW", "providerUrgency": "NOT_DEFINED", "subAvailabilityImpact": "NONE", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "userInteraction": "NONE", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "version": "4.0", "vulnAvailabilityImpact": "LOW", "vulnConfidentialityImpact": "LOW", "vulnIntegrityImpact": "LOW", "vulnerabilityResponseEffort": "NOT_DEFINED"}, "source": "security@octopus.com", "type": "Secondary"}]}, "published": "2026-03-05T11:15:54.400", "references": [{"source": "security@octopus.com", "tags": ["Vendor Advisory"], "url": "https://advisories.octopus.com/post/2026/sa2026-02"}], "sourceIdentifier": "security@octopus.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-863"}], "source": "security@octopus.com", "type": "Secondary"}]}

{}

{"affected": [{"configurations": [{"platform": ["windows", "linux"], "status": "affected", "versions": {"scheme": "semver", "value": "[2023.0.0,2025.3.14761)"}}, {"platform": ["windows", "linux"], "status": "affected", "versions": {"scheme": "semver", "value": "[2025.4.0,2025.4.10409)"}}], "enrichment": {"confidence": 86.0, "confidence_source": "matching", "scores": [{"score": 86.0, "source": "matching"}]}, "original": {"product": "Octopus Server", "source": "cna", "vendor": "Octopus Deploy"}, "product": "octopus_server", "vendor": "octopus"}], "analysis": {"en": {"generated_at": "2026-04-16T12:24:15.281820+00:00", "value": {"mitigation_remediation": ["Upgrade Octopus Server to a version that includes the fix for the API key lifetime flaw.", "Revoke any API keys that were created using the affected access token before applying the patch and regenerate new keys with appropriate lifetimes.", "Review and tighten token lifecycle policies to enforce the intended maximum key lifetime and restrict token sharing among users."], "summary": {"action": "Apply Patch", "impact": "Privilege Escalation via API key lifetime abuse"}, "threat_synthesis": {"affected_systems": "Octopus Deploy\u2019s Octopus Server product is affected; no specific product versions are listed, so all currently running installations require verification.", "description_and_impact": "The vulnerability allows an attacker to create a new API key from an existing access token in Octopus Server, with the new key inheriting a lifetime that exceeds that of the original token. This effectively extends an authenticated session\u2019s validity beyond its intended duration, enabling an attacker to perform unauthorized actions for a longer period. The weakness is a classic example of improper privilege escalation due to inadequate access control, classified as CWE\u2011863.", "risk_and_exploitability": "The CVSS score of 2.3 indicates low severity, and the EPSS score of less than 1% suggests exploitation is unlikely in the wild. However, the attack vector is inferred to be user\u2011initiated; any individual or process that possesses a valid access token can exploit the flaw to generate a longer\u2011lived key. The vulnerability is not listed in the CISA KEV catalog, which further lowers the immediacy of risk. Nevertheless, once a key with an extended lifetime is created, the attacker gains prolonged access to the system\u2019s APIs, which can lead to privilege escalation and potential data exposure."}}}}, "created": "2026-03-06T15:07:42.416183+00:00", "title": "API Key Lifetime Abuse via Access Token in Octopus Server", "updated": "2026-04-16T12:30:06.116334+00:00", "vendors": ["octopus", "octopus$PRODUCT$octopus_server"]}