{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-3236", "assignerOrgId": "6f4f8c89-ef06-4bae-a2a5-6734ddf76272", "state": "PUBLISHED", "assignerShortName": "Octopus", "dateReserved": "2026-02-26T00:25:55.210Z", "datePublished": "2026-03-05T10:37:03.736Z", "dateUpdated": "2026-03-05T14:17:07.392Z"}, "containers": {"cna": {"affected": [{"defaultStatus": "unaffected", "platforms": ["Windows", "Linux"], "product": "Octopus Server", "vendor": "Octopus Deploy", "versions": [{"lessThan": "2025.3.14761", "status": "affected", "version": "2023.0.0", "versionType": "custom"}, {"lessThan": "2025.4.10409", "status": "affected", "version": "2025.4.0", "versionType": "custom"}]}], "credits": [{"lang": "en", "type": "finder", "value": "This vulnerability was found by nguyennb"}], "descriptions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "In affected versions of Octopus Server it was possible to create a new API key from an existing access token resulting in the new API key having a lifetime exceeding the original API key used to mint the access token."}], "value": "In affected versions of Octopus Server it was possible to create a new API key from an existing access token resulting in the new API key having a lifetime exceeding the original API key used to mint the access token."}], "metrics": [{"cvssV4_0": {"Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "Safety": "NOT_DEFINED", "attackComplexity": "LOW", "attackRequirements": "PRESENT", "attackVector": "NETWORK", "baseScore": 2.3, "baseSeverity": "LOW", "exploitMaturity": "NOT_DEFINED", "privilegesRequired": "LOW", "providerUrgency": "NOT_DEFINED", "subAvailabilityImpact": "NONE", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "userInteraction": "NONE", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N", "version": "4.0", "vulnAvailabilityImpact": "LOW", "vulnConfidentialityImpact": "LOW", "vulnIntegrityImpact": "LOW", "vulnerabilityResponseEffort": "NOT_DEFINED"}, "format": "CVSS", "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "problemTypes": [{"descriptions": [{"cweId": "CWE-863", "description": "CWE-863 Incorrect Authorization", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"orgId": "6f4f8c89-ef06-4bae-a2a5-6734ddf76272", "shortName": "Octopus", "dateUpdated": "2026-03-05T10:37:03.736Z"}, "references": [{"url": "https://advisories.octopus.com/post/2026/sa2026-02"}], "source": {"discovery": "EXTERNAL"}, "x_generator": {"engine": "Vulnogram 0.5.0"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-03-05T14:16:57.713650Z", "id": "CVE-2026-3236", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-05T14:17:07.392Z"}}]}}

{}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:octopus:octopus_server:*:*:*:*:*:*:*:*", "matchCriteriaId": "8B609A0F-1C05-47BB-BA71-2A549AF037F8", "versionEndExcluding": "2025.3.14761", "versionStartIncluding": "2023.1.4189", "vulnerable": true}, {"criteria": "cpe:2.3:a:octopus:octopus_server:*:*:*:*:*:*:*:*", "matchCriteriaId": "6C328575-4BD6-4E45-B5D8-FBC4BCDD7E66", "versionEndExcluding": "2025.4.10409", "versionStartIncluding": "2025.4.51", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "In affected versions of Octopus Server it was possible to create a new API key from an existing access token resulting in the new API key having a lifetime exceeding the original API key used to mint the access token."}, {"lang": "es", "value": "En las versiones afectadas de Octopus Server era posible crear una nueva clave de API a partir de un token de acceso existente, lo que resultaba en que la nueva clave de API tuviera una vida \u00fatil que exced\u00eda la clave de API original utilizada para generar el token de acceso."}], "id": "CVE-2026-3236", "lastModified": "2026-03-13T01:30:06.483", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 4.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "LOW", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 1.4, "source": "nvd@nist.gov", "type": "Primary"}], "cvssMetricV40": [{"cvssData": {"Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "Safety": "NOT_DEFINED", "attackComplexity": "LOW", "attackRequirements": "PRESENT", "attackVector": "NETWORK", "availabilityRequirement": "NOT_DEFINED", "baseScore": 2.3, "baseSeverity": "LOW", "confidentialityRequirement": "NOT_DEFINED", "exploitMaturity": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "privilegesRequired": "LOW", "providerUrgency": "NOT_DEFINED", "subAvailabilityImpact": "NONE", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "userInteraction": "NONE", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "version": "4.0", "vulnAvailabilityImpact": "LOW", "vulnConfidentialityImpact": "LOW", "vulnIntegrityImpact": "LOW", "vulnerabilityResponseEffort": "NOT_DEFINED"}, "source": "security@octopus.com", "type": "Secondary"}]}, "published": "2026-03-05T11:15:54.400", "references": [{"source": "security@octopus.com", "tags": ["Vendor Advisory"], "url": "https://advisories.octopus.com/post/2026/sa2026-02"}], "sourceIdentifier": "security@octopus.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-863"}], "source": "security@octopus.com", "type": "Secondary"}]}

{}

{"affected": [{"configurations": [{"platform": ["windows", "linux"], "status": "affected", "versions": {"scheme": "semver", "value": "[2023.0.0,2025.3.14761)"}}, {"platform": ["windows", "linux"], "status": "affected", "versions": {"scheme": "semver", "value": "[2025.4.0,2025.4.10409)"}}], "enrichment": {"confidence": 86.0, "confidence_source": "matching", "scores": [{"score": 86.0, "source": "matching"}]}, "original": {"product": "Octopus Server", "source": "cna", "vendor": "Octopus Deploy"}, "product": "octopus_server", "vendor": "octopus"}], "created": "2026-03-06T15:07:42.416183+00:00", "updated": "2026-03-06T15:07:42.416286+00:00", "vendors": ["octopus", "octopus$PRODUCT$octopus_server"]}