CVE-2026-30836NVD

Vulnerability Summary

Step CA is an online certificate authority for secure, automated certificate management for DevOps. Versions 0.30.0-rc6 and below do not safeguard against unauthenticated certificate issuance through the SCEP UpdateReq. This issue has been fixed in version 0.30.0.

Severity Level

CRITICAL(10.0)

Published Date

Mar 19, 2026

Last Modified

Apr 27, 2026

Exploitation Status

????

EPSS Score (30-Day)

0.01%Probability

Root Weakness (CWE)

CWE-287: Improper Authentication ↗

When an actor claims to have a given identity, the software does not prove or insufficiently proves that the claim is correct.

CVSS v3.1 Base Metrics

Attack VectorNetwork

Attack ComplexityLow

Privileges RequiredNone

User InteractionNone

ScopeChanged

ConfidentialityHigh

IntegrityHigh

AvailabilityNone

External References

https://github.com/smallstep/certificates/commit/e6da031d5125cfd99fe9a26f74bb41e4dacca4ef
https://github.com/smallstep/certificates/releases/tag/v0.30.0-rc7
https://github.com/smallstep/certificates/security/advisories/GHSA-q4r8-xm5f-56gw