Monitor vulnerabilities like this one.
Sign up free to get alerted when software you use is affected.
2.3
Octopus Server: API Keys Can Have Longer Lifetime Than Expected
CVE-2026-3236
Summary
If you use Octopus Server, an attacker could create a new API key using an existing access token, potentially giving them permanent access. This affects the security of your system. Update to the latest version to fix this issue.
What to do
No fix is available yet. Check with your software vendor for updates.
Affected software
| Vendor | Product | Affected versions | Fix available |
|---|---|---|---|
| octopus | octopus_server | > 2023.1.4189 , <= 2025.3.14761 | – |
| octopus | octopus_server | > 2025.4.51 , <= 2025.4.10409 | – |
Original title
In affected versions of Octopus Server it was possible to create a new API key from an existing access token resulting in the new API key having a lifetime exceeding the original API key used to mi...
Original description
In affected versions of Octopus Server it was possible to create a new API key from an existing access token resulting in the new API key having a lifetime exceeding the original API key used to mint the access token.
nvd CVSS4.0
2.3
Vulnerability type
CWE-863
Incorrect Authorization
Published: 5 Mar 2026 · Updated: 13 Mar 2026 · First seen: 6 Mar 2026