CVE-2026-30836
Step CA: Unauthenticated Certificate Issuance via SCEP UpdateReq (MessageType=18)
CVSS Score
10.0
EPSS Score
0.0%
EPSS Percentile
1th
Step CA is an online certificate authority for secure, automated certificate management for DevOps. Versions 0.30.0-rc6 and below do not safeguard against unauthenticated certificate issuance through the SCEP UpdateReq. This issue has been fixed in version 0.30.0.
| CWE | CWE-287 CWE-295 |
| Vendor | smallstep |
| Product | certificates |
| Published | Mar 19, 2026 |
| Last Updated | Mar 25, 2026 |
Stay Ahead of the Next One
Get instant alerts for smallstep certificates
Be the first to know when new critical vulnerabilities affecting smallstep certificates are published โ delivered to Slack, Telegram or Discord.
Get Free Alerts โ
Free ยท No credit card ยท 60 sec setup
CVSS v3 Breakdown
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:N Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Changed
Confidentiality
High
Integrity
High
Availability
None
Affected Versions
smallstep / certificates
< 0.30.0