Vulnerability Description
In affected versions of Octopus Deploy where customers are using Active Directory for authentication it was possible for an unauthenticated user to make an API request against two endpoints which would retrieve some data from the associated Active Directory. The requests when crafted correctly would return specific information from user profiles (Email address/UPN and Display name) from one endpoint and group information ( Group ID and Display name) from the other. This vulnerability does not expose data within the Octopus Server product itself.
CVSS Score
MEDIUM
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Octopus | Octopus Server | >= 2020.3.3, < 2024.3.13071 |
| Linux | Linux Kernel | - |
| Microsoft | Windows | - |
Related Weaknesses (CWE)
References
- https://advisories.octopus.com/post/2025/sa2025-01/Vendor Advisory
FAQ
What is CVE-2025-0589?
CVE-2025-0589 is a vulnerability with a CVSS score of 5.3 (MEDIUM). In affected versions of Octopus Deploy where customers are using Active Directory for authentication it was possible for an unauthenticated user to make an API request against two endpoints which woul...
How severe is CVE-2025-0589?
CVE-2025-0589 has been rated MEDIUM with a CVSS base score of 5.3/10. Review the CVSS metrics above for detailed severity breakdown.
Is there a patch for CVE-2025-0589?
Check the references section above for vendor advisories and patch information. Affected products include: Octopus Octopus Server, Linux Linux Kernel, Microsoft Windows.