Octopus Server API Key Lifetime Extension Vulnerability via Access Token

A vulnerability exists in Octopus Server that allows the creation of a new API key from an existing access token. This new API key can have a longer lifetime than the original API key that was used to generate the access token. The vulnerability is present in all 2023.x, 2024.x, 2025.1.x, 2025.2.x, and certain 2025.3.x and 2025.4.x versions of Octopus Server.

Impact

Exploitation of this vulnerability allows for the creation of API keys with extended lifetimes, potentially leading to unauthorized access or actions within Octopus Server.

Remediation

Users are advised to upgrade to Octopus Server version 2025.4.10464 or to version 2025.3.14761 or greater if they are on the 2023.x, 2024.x, 2025.1.x, 2025.2.x, or 2025.3.x versions. For those on the 2025.4.x version, upgrade to 2025.4.10409 or greater.