CVE-2026-0704 is a path traversal vulnerability identified in Octopus Deploy's Octopus Server affecting versions from 2023.0.0 to 2025.4.0. The vulnerability arises due to insufficient validation of input fields in a specific API endpoint, which allows an attacker with authenticated high-level privileges to manipulate file paths. This manipulation can lead to unauthorized removal or modification of files on the host system, bypassing expected workflow restrictions. The vulnerability is categorized under CWE-22, indicating improper limitation of pathname to a restricted directory, which is a common vector for path traversal attacks. The CVSS 4.0 base score is 5.9 (medium severity), reflecting a network attack vector (AV:N), high attack complexity (AC:H), requiring privileges (PR:H), no user interaction (UI:N), and significant impacts on confidentiality, integrity, and availability (VC:N, VI:H, VA:H). Although no public exploits are known, the vulnerability poses a risk to the integrity and availability of deployment environments managed by Octopus Server. The lack of patch links suggests that a fix may be pending or not yet publicly available, emphasizing the need for vigilance and interim mitigations.

The vulnerability allows an attacker with high-level authenticated access to delete or modify arbitrary files on the host running Octopus Server. This can disrupt deployment processes, cause data loss, or corrupt critical configuration files, potentially leading to service outages or compromised system integrity. Organizations relying on Octopus Server for continuous integration and deployment risk operational disruptions and may face challenges in maintaining secure and reliable software delivery pipelines. The impact extends to confidentiality if sensitive files are deleted or altered, and availability is affected due to potential service interruptions. Given the requirement for high privileges, the threat is primarily internal or from compromised accounts, but the network attack vector means remote exploitation is feasible once credentials are obtained. This vulnerability could be leveraged in targeted attacks against organizations with complex deployment environments, especially those with limited internal access controls or monitoring.

1. Immediately review and restrict access to Octopus Server API endpoints to only trusted, necessary users with the minimum required privileges. 2. Implement strict input validation and sanitization on all API inputs, especially those involving file paths, to prevent path traversal attempts. 3. Monitor logs for unusual file deletion or modification activities and anomalous API usage patterns. 4. Employ network segmentation and firewall rules to limit access to Octopus Server management interfaces. 5. Regularly audit user privileges and revoke unnecessary high-level access to reduce the attack surface. 6. If a patch becomes available, prioritize its deployment in all affected environments. 7. Consider deploying host-based intrusion detection systems (HIDS) to alert on unauthorized file system changes. 8. Backup critical configuration and deployment files regularly to enable recovery from malicious modifications or deletions. 9. Educate administrators and DevOps teams about the risks of privilege misuse and enforce strong authentication mechanisms to prevent credential compromise.