Auth bypass in Octopus Deploy Server

CVE-2026-4881

In affected versions of Octopus Server, permissions were not checked correctly resulting in any authenticated user being able to make server level changes using a certain API endpoint despite receiving an error.

Vulnerability class: Broken Access Control

EPSS: 0.000 (10.5th percentile) — read the EPSS interpretation.