CVE-2026-0704 is a path traversal vulnerability identified in Octopus Deploy's Octopus Server product, affecting versions from 2023.0.0 up to and including 2025.4.0. The vulnerability arises due to insufficient validation of a file path parameter in an API endpoint responsible for file operations. This flaw allows an authenticated user with high privileges to manipulate the file system by removing files or contents of files outside the intended scope, circumventing normal workflow restrictions. The vulnerability does not require user interaction but does require privileged authentication, indicating that attackers must already have elevated access to exploit it. The CVSS 4.0 score is 5.9 (medium), reflecting the moderate impact and complexity. Exploiting this vulnerability could disrupt deployment processes, cause data loss, or potentially facilitate further attacks by modifying critical files. No public exploit code or active exploitation has been reported to date. The vulnerability was reserved in early January 2026 and published in late February 2026. Octopus Deploy has not yet published patch links, so mitigation may rely on configuration changes or access controls until patches are available.

The vulnerability enables attackers with high privileges to delete or modify arbitrary files on the Octopus Server host, potentially leading to significant operational disruption. This can interrupt automated deployment pipelines, cause loss or corruption of deployment artifacts, and undermine the integrity of release management processes. Organizations relying heavily on Octopus Deploy for continuous integration and deployment may face downtime or compromised software delivery. Additionally, malicious file modifications could be leveraged to implant backdoors or disrupt system stability. Although exploitation requires privileged access, insider threats or compromised administrator accounts could exploit this flaw. The lack of known exploits reduces immediate risk, but the potential for damage in targeted attacks is substantial. The vulnerability's impact on confidentiality is limited, but integrity and availability are notably affected.

Organizations should immediately review and restrict access to Octopus Server API endpoints, ensuring only trusted administrators have high privilege accounts. Implement strict monitoring and logging of file operations and API usage to detect anomalous behavior. Until official patches are released, consider isolating Octopus Server hosts in segmented network zones with limited access. Employ application-layer firewalls or API gateways to validate and sanitize inputs to the vulnerable endpoints if possible. Regularly back up critical deployment data and configuration files to enable recovery from unauthorized deletions or modifications. Stay alert for Octopus Deploy security advisories and apply patches promptly once available. Conduct internal audits to verify no unauthorized file changes have occurred. Finally, enforce strong authentication and credential management to reduce risk of privilege escalation or account compromise.