CVE-2022-2572 is a critical security vulnerability affecting Octopus Deploy's Octopus Server, specifically in versions including 3.5, 2022.2.6729, 2022.3.348, and 2022.4.791. The vulnerability arises from broken access control related to API key management when external authentication providers are used. In these affected versions, if a user is disabled or deleted in the external authentication system, their associated API keys within Octopus Server may remain valid and active. This means that even after revoking user access at the authentication provider level, the API keys can still be used to access the Octopus Server API with the privileges of the disabled or deleted user. The flaw is categorized under CWE-287 (Improper Authentication), indicating a failure to properly enforce authentication controls. The vulnerability has a CVSS v3.1 score of 9.8, reflecting its critical nature, with an attack vector that is network-based, no privileges or user interaction required, and impacts confidentiality, integrity, and availability at a high level. Exploitation would allow an attacker to perform unauthorized actions via the API, potentially leading to full system compromise, data exfiltration, or disruption of deployment pipelines. Although no known exploits are reported in the wild, the ease of exploitation and severity warrant immediate attention. The root cause is the failure of Octopus Server to invalidate API keys upon user deactivation or deletion in external authentication systems, resulting in persistent access tokens that bypass intended access revocation mechanisms.

For European organizations using Octopus Deploy Octopus Server, this vulnerability poses a severe risk. Octopus Server is widely used for automated deployment and DevOps orchestration, often integrated into critical software delivery pipelines. Unauthorized API access through valid but revoked API keys could allow attackers to manipulate deployment processes, inject malicious code, disrupt services, or exfiltrate sensitive configuration and operational data. This can lead to significant operational downtime, compromise of intellectual property, and potential regulatory non-compliance under GDPR due to unauthorized data access. The vulnerability undermines trust in identity and access management controls, especially in environments relying on external authentication providers such as Active Directory Federation Services or OAuth providers common in European enterprises. Given the criticality of continuous integration and deployment in modern IT environments, exploitation could have cascading effects across multiple systems and services, amplifying the impact on business continuity and security posture.

Organizations should immediately verify if they are running affected versions of Octopus Server and upgrade to a patched version once available. In the interim, administrators should audit all API keys, especially those associated with disabled or deleted users, and revoke them manually to prevent unauthorized access. Implement strict API key lifecycle management policies, including automated invalidation of keys upon user deactivation. Additionally, consider enforcing short-lived API keys or token expiration policies to limit exposure. Review and tighten integration configurations with external authentication providers to ensure synchronization of user status changes is reliable and timely. Employ monitoring and alerting on unusual API activity, such as usage from disabled accounts or unexpected IP addresses. Where possible, restrict API key scopes to the minimum necessary permissions and segment deployment environments to limit blast radius. Finally, conduct regular security reviews of access control mechanisms and ensure that identity and access management processes are robust and tested against such scenarios.