Octopus Server API Permission Vulnerability Allows Low-Privilege Users to Modify Signing Key Settings

A vulnerability exists in Octopus Server that allows low-privileged users to alter the expiration and revocation time frames of signing keys through an API endpoint with inadequate permission validation. This issue is present in all versions of Octopus Server from 2023.x, 2024.x, 2025.1.x, 2025.2.x, 2025.3.x versions prior to 2025.3.14731, all 2025.4.x versions prior to 2025.4.10359, and all 2026.1.x versions prior to 2026.1.5571. While the vulnerability enables modification of signing key settings, it does not allow for exposure of the signing keys themselves.

Impact

Exploitation of this vulnerability could lead to unauthorized changes in signing key management, potentially disrupting key validation processes or introducing security risks through improper key handling.

Remediation

Users are advised to upgrade to Octopus Server version 2026.1.11242 or, if on an earlier 2026.1.x version, to version 2026.1.5571 or greater. For those on Octopus Server versions 2023.x, 2024.x, 2025.1.x, 2025.2.x, or 2025.4.x, the recommended upgrade paths are to version 2025.3.14731 or greater or 2025.4.10359 or greater, depending on their current version. Customers on Octopus Cloud do not need to take any action.