CVE-2026-4881
MediumCVSS 6.5Exploitation Probability (EPSS)
Low risk11th percentile - higher than 11% of all known CVEs
Summary
In affected versions of Octopus Server, permissions were not checked correctly, allowing any authenticated user to make server-level changes via a specific API endpoint despite receiving an error.
Risk Assessment
The risk is that an unauthorized user can escalate privileges and modify server configuration, potentially leading to data integrity and confidentiality breaches.
Recommendation
It is recommended to immediately update Octopus Server to the latest version that includes a fix for this vulnerability.
Original NVD description (English source)
In affected versions of Octopus Server, permissions were not checked correctly resulting in any authenticated user being able to make server level changes using a certain API endpoint despite receiving an error.

