CVE-2026-30836
published 2026-03-19CVE-2026-30836: Step CA is an online certificate authority for secure, automated certificate management for DevOps. Versions 0.30.0-rc6 and below do not safeguard against…
PriorityP355critical10CVSS 3.1
AVNACLPRNUINSCCHIHAN
EPSS
0.30%
21.2th percentile
Step CA is an online certificate authority for secure, automated certificate management for DevOps. Versions 0.30.0-rc6 and below do not safeguard against unauthenticated certificate issuance through the SCEP UpdateReq. This issue has been fixed in version 0.30.0.
Affected
4 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| github.com | smallstep_certificates | >= 0 < 0.30.0 | 0.30.0 |
| smallstep | certificates | < 0.30.0 | 0.30.0 |
| smallstep | step-ca | < 0.30.0 | 0.30.0 |
| smallstep | step-ca | — | — |
CVSS provenance
nvdv3.110.0CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:N
osv10.0CRITICAL
vendor_redhat10.0CRITICAL
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
OSV
step-ca has Unauthenticated Certificate Issuance via SCEP UpdateReq (MessageType=18) in github.com/smallstep/certificates
osv·2026-03-23
CVE-2026-30836 step-ca has Unauthenticated Certificate Issuance via SCEP UpdateReq (MessageType=18) in github.com/smallstep/certificates
step-ca has Unauthenticated Certificate Issuance via SCEP UpdateReq (MessageType=18) in github.com/smallstep/certificates
step-ca has Unauthenticated Certificate Issuance via SCEP UpdateReq (MessageType=18) in github.com/smallstep/certificates
GHSA
step-ca has Unauthenticated Certificate Issuance via SCEP UpdateReq (MessageType=18)
ghsa·2026-03-19
CVE-2026-30836 [CRITICAL] CWE-287 step-ca has Unauthenticated Certificate Issuance via SCEP UpdateReq (MessageType=18)
step-ca has Unauthenticated Certificate Issuance via SCEP UpdateReq (MessageType=18)
## Summary
An attacker can force a Step CA SCEP provisioner to create certificates without completing certain protocol authorization checks.
## Details
SCEP requests carry a message type. On receipt of a SCEP request, Step CA starts processing it by parsing its contents. Message types that were considered valid, but not explicitly supported in Step CA, would result in getting parsed successfully. While processing the parsed SCEP message, authorization logic would be skipped for the non-supported message types.
As a result, the request would be treated as authorized, bypassing the authorization checks normally enforced as part of the SCEP protocol and its implementation in Step CA.
Authorization webho
OSV
step-ca has Unauthenticated Certificate Issuance via SCEP UpdateReq (MessageType=18)
osv·2026-03-19
CVE-2026-30836 [CRITICAL] step-ca has Unauthenticated Certificate Issuance via SCEP UpdateReq (MessageType=18)
step-ca has Unauthenticated Certificate Issuance via SCEP UpdateReq (MessageType=18)
## Summary
An attacker can force a Step CA SCEP provisioner to create certificates without completing certain protocol authorization checks.
## Details
SCEP requests carry a message type. On receipt of a SCEP request, Step CA starts processing it by parsing its contents. Message types that were considered valid, but not explicitly supported in Step CA, would result in getting parsed successfully. While processing the parsed SCEP message, authorization logic would be skipped for the non-supported message types.
As a result, the request would be treated as authorized, bypassing the authorization checks normally enforced as part of the SCEP protocol and its implementation in Step CA.
Authorization webho
OSV
CVE-2026-30836: Step CA is an online certificate authority for secure, automated certificate management for DevOps
osv·2026-03-19·CVSS 10.0
CVE-2026-30836 [CRITICAL] CVE-2026-30836: Step CA is an online certificate authority for secure, automated certificate management for DevOps
Step CA is an online certificate authority for secure, automated certificate management for DevOps. Versions 0.30.0-rc6 and below do not safeguard against unauthenticated certificate issuance through the SCEP UpdateReq. This issue has been fixed in version 0.30.0.
Red Hat
github.com/smallstep/certificates: Step CA: Unauthenticated certificate issuance via SCEP Update Request
vendor_redhat·2026-03-19·CVSS 10.0
CVE-2026-30836 [CRITICAL] CWE-306 github.com/smallstep/certificates: Step CA: Unauthenticated certificate issuance via SCEP Update Request
github.com/smallstep/certificates: Step CA: Unauthenticated certificate issuance via SCEP Update Request
Step CA is an online certificate authority for secure, automated certificate management for DevOps. Versions 0.30.0-rc6 and below do not safeguard against unauthenticated certificate issuance through the SCEP UpdateReq. This issue has been fixed in version 0.30.0.
A flaw was found in Step CA, an online certificate authority. A remote attacker can exploit this vulnerability by sending an unauthenticated SCEP (Simple Certificate Enrollment Protocol) Update Request. This allows the attacker to issue unauthorized certificates, potentially leading to a compromise of the certificate management system and enabling further attacks such as impersonation or man-in-the-middle attacks.
Statement
No detection rules found.
No public exploits indexed.
Wiz
CVE-2026-30836 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 10.0
CVE-2026-30836 [CRITICAL] CVE-2026-30836 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-30836 :
Wolfi vulnerability analysis and mitigation
Step CA is an online certificate authority for secure, automated certificate management for DevOps. Versions 0.30.0-rc6 and below do not safeguard against unauthenticated certificate issuance through the SCEP UpdateReq. This issue has been fixed in version 0.30.0.
Source : NVD
## 10
Score
Published March 19, 2026
Severity CRITICAL
CNA Score 10.0
Affected Technologies
Wolfi
Chainguard
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 0.9
Exploitation Probability (EPSS) N/A
Affected packages and libraries
github.com/smallstep/certificates
frankenphp-8.3
Sources
NVD
Alpine 3.23, edge Severity CRITICAL Has Fix Added at:
Bugzilla
CVE-2026-30836 github.com/smallstep/certificates: Step CA: Unauthenticated certificate issuance via SCEP Update Request
bugzilla·2026-03-19·CVSS 10.0
CVE-2026-30836 [CRITICAL] CVE-2026-30836 github.com/smallstep/certificates: Step CA: Unauthenticated certificate issuance via SCEP Update Request
CVE-2026-30836 github.com/smallstep/certificates: Step CA: Unauthenticated certificate issuance via SCEP Update Request
Step CA is an online certificate authority for secure, automated certificate management for DevOps. Versions 0.30.0-rc6 and below do not safeguard against unauthenticated certificate issuance through the SCEP UpdateReq. This issue has been fixed in version 0.30.0.
2026-03-19
Published