Octopus Octopus Server — known CVE vulnerabilities
Every CVE whose affected-product data names Octopus Octopus Server, ordered by CVSS severity, with EPSS exploit prediction and CISA KEV status.
CVEs (64)
CVE-2024-9194 — CVSS 9.8 (critical): Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Linux and Microsoft Windows Octopus…
CVE-2022-2778 — CVSS 9.8 (critical): In affected versions of Octopus Deploy it is possible to bypass rate limiting on login using null bytes.
CVE-2018-11320 — CVSS 9.8 (critical): In Octopus Deploy 2018.4.4 through 2018.5.1, Octopus variables that are sourced from the target do not have sensitive values obfuscated in…
CVE-2022-2572 — CVSS 9.8 (critical): In affected versions of Octopus Server where access is managed by an external authentication provider, it was possible that the API…
CVE-2022-2782 — CVSS 9.1 (critical): In affected versions of Octopus Server it is possible for a session token to be valid indefinitely due to improper validation of the…
CVE-2026-0704 — CVSS 9.1 (critical): In affected version of Octopus Deploy it was possible to remove files and/or contents of files on the host using an API endpoint. The field…
CVE-2024-2975 — CVSS 8.8 (high): A race condition was identified through which privilege escalation was possible in certain configurations.
CVE-2025-0539 — CVSS 8.8 (high): In affected Microsoft Windows versions of Octopus Deploy, the server can be coerced into sending server-side requests that contain…
CVE-2022-4009 — CVSS 8.8 (high): In affected versions of Octopus Deploy it is possible for a user to introduce code via offline package creation
CVE-2018-18850 — CVSS 8.8 (high): In Octopus Deploy 2018.8.0 through 2018.9.x before 2018.9.1, an authenticated user with permission to modify deployment processes could…
CVE-2019-11632 — CVSS 8.1 (high): In Octopus Deploy 2019.1.0 through 2019.3.1 and 2019.4.0 through 2019.4.5, an authenticated user with the VariableViewUnscoped or…
CVE-2022-2780 — CVSS 8.1 (high): In affected versions of Octopus Server it is possible to use the Git Connectivity test function on the VCS project to initiate an SMB…
CVE-2021-26556 — CVSS 7.8 (high): When Octopus Server is installed using a custom folder location, folder ACLs are not set correctly and could lead to an unprivileged user…
CVE-2022-1670 — CVSS 7.5 (high): When generating a user invitation code in Octopus Server, the validity of this code can be set for a specific number of users. It was…
CVE-2018-12089 — CVSS 7.5 (high): In Octopus Deploy version 2018.5.1 to 2018.5.7, a user with Task View is able to view a password for a Service Fabric Cluster, when the…
CVE-2025-0525 — CVSS 7.5 (high): In affected versions of Octopus Server the preview import feature could be leveraged to identify the existence of a target file. This could…
CVE-2021-31820 — CVSS 7.5 (high): In Octopus Server after version 2018.8.2 if the Octopus Server Web Request Proxy is configured with authentication, the password is shown…
CVE-2022-2721 — CVSS 7.5 (high): In affected versions of Octopus Server it is possible for target discovery to print certain values marked as sensitive to log files in…
CVE-2022-2049 — CVSS 7.5 (high): In affected versions of Octopus Deploy it is possible to perform a Regex Denial of Service via the package upload function.
CVE-2022-2074 — CVSS 7.5 (high): In affected versions of Octopus Deploy it is possible to perform a Regex Denial of Service using the Variable Project Template.
CVE-2022-2075 — CVSS 7.5 (high): In affected versions of Octopus Deploy it is possible to perform a Regex Denial of Service targeting the build information request…
CVE-2022-3460 — CVSS 7.5 (high): In affected versions of Octopus Deploy it is possible for certain types of sensitive variables to inadvertently become unmasked when viewed…
CVE-2022-2883 — CVSS 7.5 (high): In affected versions of Octopus Deploy it is possible to upload a zipbomb file as a task which results in Denial of Service
CVE-2022-2528 — CVSS 6.5 (medium): In affected versions of Octopus Deploy it is possible to upload a package to built-in feed with insufficient permissions after re-indexing…
CVE-2019-8944 — CVSS 6.5 (medium): An Information Exposure issue in the Terraform deployment step in Octopus Deploy before 2019.1.8 (and before 2018.10.4 LTS) allows remote…
CVE-2022-2828 — CVSS 6.5 (medium): In affected versions of Octopus Server it is possible to reveal information about teams via the API due to an Insecure Direct Object…
CVE-2024-6972 — CVSS 6.5 (medium): In affected versions of Octopus Server under certain circumstances it is possible for sensitive variables to be printed in the task log in…
CVE-2026-4881 — CVSS 6.5 (medium): In affected versions of Octopus Server, permissions were not checked correctly resulting in any authenticated user being able to make…
CVE-2022-3614 — CVSS 6.1 (medium): In affected versions of Octopus Deploy users of certain browsers using AD to sign-in to Octopus Server were able to bypass authentication…
CVE-2022-29890 — CVSS 6.1 (medium): In affected versions of Octopus Server the help sidebar can be customized to include a Cross-Site Scripting payload in the support link.
CVE-2022-23184 — CVSS 6.1 (medium): In affected Octopus Server versions when the server HTTP and HTTPS bindings are configured to localhost, Octopus Server will allow open…
CVE-2017-11348 — CVSS 5.7 (medium): In Octopus Deploy 3.x before 3.15.4, an authenticated user with PackagePush permission to upload packages could upload a maliciously…
CVE-2022-2346 — CVSS 5.5 (medium): In affected versions of Octopus Deploy it is possible for a low privileged guest user to interact with extension endpoints.
CVE-2022-4008 — CVSS 5.5 (medium): In affected versions of Octopus Deploy it is possible to upload a zipbomb file as a task which results in Denial of Service
CVE-2022-2416 — CVSS 5.5 (medium): In affected versions of Octopus Deploy it is possible for a low privileged guest user to craft a request that allows enumeration/recon of…
CVE-2025-0513 — CVSS 5.4 (medium): In affected versions of Octopus Server error messages were handled unsafely on the error page. If an adversary could control any part of…
CVE-2025-0526 — CVSS 5.4 (medium): In affected versions of Octopus Deploy it was possible to upload files to unexpected locations on the host using an API endpoint. The field…
CVE-2022-4898 — CVSS 5.4 (medium): In affected versions of Octopus Server the help sidebar can be customized to include a Cross-Site Scripting payload in the support link…
CVE-2025-0589 — CVSS 5.3 (medium): In affected versions of Octopus Deploy where customers are using Active Directory for authentication it was possible for an unauthenticated…
CVE-2022-2783 — CVSS 5.3 (medium): In affected versions of Octopus Server it was identified that a session cookie could be used as the CSRF token
CVE-2022-1881 — CVSS 5.3 (medium): In affected versions of Octopus Server an Insecure Direct Object Reference vulnerability exists where it is possible for a user to download…
CVE-2022-2507 — CVSS 5.3 (medium): In affected versions of Octopus Deploy it is possible to render user supplied input into the webpage
CVE-2022-30532 — CVSS 5.3 (medium): In affected versions of Octopus Deploy, there is no logging of changes to artifacts within Octopus Deploy.
CVE-2022-2781 — CVSS 5.3 (medium): In affected versions of Octopus Server it was identified that the same encryption process was used for both encrypting session cookies and…
CVE-2022-4870 — CVSS 5.3 (medium): In affected versions of Octopus Deploy it is possible to discover network details via error message
CVE-2022-2508 — CVSS 5.3 (medium): In affected versions of Octopus Server it is possible to reveal the existence of resources in a space that the user does not have access to…
CVE-2022-2720 — CVSS 5.3 (medium): In affected versions of Octopus Server it was identified that when a sensitive value is a substring of another value, sensitive value…
CVE-2022-1901 — CVSS 5.3 (medium): In affected versions of Octopus Deploy it is possible to unmask sensitive variables by using variable preview.
CVE-2025-0588 — CVSS 4.9 (medium): In affected versions of Octopus Server it was possible for a user with sufficient access to set custom headers in all server responses. By…
CVE-2019-14525 — CVSS 4.9 (medium): In Octopus Deploy 2019.4.0 through 2019.6.x before 2019.6.6, and 2019.7.x before 2019.7.6, an authenticated system administrator is able to…
CVE-2022-2760 — CVSS 4.3 (medium): In affected versions of Octopus Deploy it is possible to reveal the Space ID of spaces that the user does not have access to view in an…
CVE-2026-3236 — CVSS 4.3 (medium): In affected versions of Octopus Server it was possible to create a new API key from an existing access token resulting in the new API key…
CVE-2022-2259 — CVSS 4.3 (medium): In affected versions of Octopus Deploy it is possible for a user to view Workerpools without being explicitly assigned permissions to view…
CVE-2022-2258 — CVSS 4.3 (medium): In affected versions of Octopus Deploy it is possible for a user to view Tagsets without being explicitly assigned permissions to view…
CVE-2023-4509 — CVSS 4.3 (medium): It is possible for an API key to be logged in clear text in the audit log file after an invalid login attempt.
CVE-2026-3237 — CVSS 4.3 (medium): In affected versions of Octopus Server it was possible for a low privileged user to manipulate an API request to change the signing key…
CVE-2020-16197 — CVSS 4.3 (medium): An issue was discovered in Octopus Deploy 3.4. A deployment target can be configured with an Account or Certificate that is outside the…
CVE-2019-15698 — CVSS 4.3 (medium): In Octopus Deploy 2019.7.3 through 2019.7.9, in certain circumstances, an authenticated user with VariableView permissions could view…
CVE-2023-1904 — CVSS 4.2 (medium): In affected versions of Octopus Server it is possible for the OpenID client secret to be logged in clear text during the configuration of…
CVE-2024-4456 — CVSS 4.1 (medium): In affected versions of Octopus Server with certain access levels it was possible to embed a Cross-Site Scripting payload on the audit page.
CVE-2024-4226 — CVSS 3.5 (low): It was identified that in certain versions of Octopus Server, that a user created with no permissions could view all users, user roles and…
CVE-2024-7998 — CVSS 2.6 (low): In affected versions of Octopus Server OIDC cookies were using the wrong expiration time which could result in them using the maximum…
CVE-2024-4811 — CVSS 2.2 (low): In affected versions of Octopus Server under certain conditions, a user with specific role assignments can access restricted project…