CVE
CVE-2026-30836
Step CA: Unauthenticated Certificate Issuance via SCEP UpdateReq (MessageType=18)
Step CA is an online certificate authority for secure, automated certificate management for DevOps. Versions 0.30.0-rc6 and below do not safeguard against unauthenticated certificate issuance through the SCEP UpdateReq. This issue has been fixed in version 0.30.0.
Package Versions Affected
Package Version
patch Availability
No items found.
Automatically patch vulnerabilities without upgrading
Fix Without Upgrading
Detect compatible fix
Apply safe remediation
Fix with a single pull request
CVSS Version
Severity
Base Score
CVSS Version
Score Vector
C
H
U
10
-
3.1
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:N
C
H
U
0
-
3.1
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:N
C
H
U
-
Related Resources
No items found.
References
https://github.com/smallstep/certificates/releases/tag/v0.30.0-rc7, https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/30xxx/CVE-2026-30836.json, https://github.com/smallstep/certificates/security/advisories/GHSA-q4r8-xm5f-56gw, https://nvd.nist.gov/vuln/detail/CVE-2026-30836, https://github.com/smallstep/certificates/commit/e6da031d5125cfd99fe9a26f74bb41e4dacca4ef
Basic Information
Ecosystem
