Cyber Posture

CVE-2026-0704

Critical

Published: 25 February 2026

Published
25 February 2026
Modified
27 February 2026
KEV Added
Patch
CVSS Score 9.1 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:H
EPSS Score 0.0009 24.6th percentile
Risk Priority 18 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2026-0704 is a critical-severity Path Traversal (CWE-22) vulnerability in Octopus Octopus Server. Its CVSS base score is 9.1 (Critical).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 24.6th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 AC-3 (Access Enforcement) and SI-10 (Information Input Validation).

Threat & Defense at a Glance

What attackers do: exploitation maps to Exploit Public-Facing Application (T1190) and 1 other technique. What defenders deploy: see the NIST 800-53 controls recommended below.
Threat & Defense Details

Mitigating Controls (NIST 800-53 r5)AI

SI-10 Information Input Validation good match
prevent

Directly addresses the lack of validation in the API field that enables path traversal attacks resulting in arbitrary file deletion or content removal.

SI-2 Flaw Remediation good match
prevent

Requires timely flaw remediation through patching the specific vulnerability in affected Octopus Deploy versions as detailed in the official advisory.

AC-3 Access Enforcement good match
prevent

Enforces approved authorizations to prevent unauthorized access and manipulation of host files circumvented by the path traversal vulnerability.

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
attack.mitre.org →
T1070.004 File Deletion Stealth
Adversaries may delete files left behind by the actions of their intrusion activity.
attack.mitre.org →
Why these techniques?

Path traversal in unauthenticated public API endpoint directly enables remote exploitation of a public-facing application (T1190) to perform arbitrary file deletion (T1070.004).

Confidence: HIGH · MITRE ATT&CK Enterprise v18.1

NVD Description

In affected version of Octopus Deploy it was possible to remove files and/or contents of files on the host using an API endpoint. The field lacked validation which could potentially result in ways to circumvent expected workflows.

Deeper analysisAI

CVE-2026-0704 affects affected versions of Octopus Deploy, where an API endpoint lacks validation in a field, enabling the removal of files and/or their contents on the host system. This path traversal vulnerability, linked to CWE-22, allows circumvention of expected workflows and carries a CVSS v3.1 base score of 9.1 (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:H), indicating critical severity due to high integrity and availability impacts.

Unauthenticated remote attackers can exploit this vulnerability over the network with low attack complexity and no user interaction. Exploitation grants the ability to delete arbitrary files or clear their contents on the server, disrupting service availability and integrity without compromising confidentiality.

The official advisory provides details on mitigation and patches at https://advisories.octopus.com/post/2026/sa2026-01.

Details

CWE(s)
NVD-CWE-noinfoCWE-22

Affected Products

octopus
octopus server
2023.1.4189 — 2025.3.14715

CVEs Like This One

CVE-2025-0525Same product: Linux Linux Kernel
CVE-2025-52452Same product: Linux Linux Kernel
CVE-2024-52363Same product: Linux Linux Kernel
CVE-2025-23318Same product: Linux Linux Kernel
CVE-2025-23310Same product: Linux Linux Kernel
CVE-2025-69273Same product: Linux Linux Kernel
CVE-2025-23317Same product: Linux Linux Kernel
CVE-2025-23311Same product: Linux Linux Kernel
CVE-2026-28710Same product: Linux Linux Kernel
CVE-2024-51954Same product: Linux Linux Kernel

References