CVE-2026-30836

Published: Mar 19, 2026 Last Modified: Mar 19, 2026
ExploitDB:
Other exploit source:
Google Dorks:
CRITICAL 10,0
Source: [email protected]
Attack Vector: network
Attack Complexity: low
Privileges Required: none
User Interaction: none
Scope: changed
Confidentiality: high
Integrity: high
Availability: none

Description

AI Translation Available

Step CA is an online certificate authority for secure, automated certificate management for DevOps. Versions 0.30.0-rc6 and below do not safeguard against unauthenticated certificate issuance through the SCEP UpdateReq. This issue has been fixed in version 0.30.0.

287

Improper Authentication

Draft
Abstraction: Class Structure: Simple
Common Consequences
Security Scopes Affected:
Integrity Confidentiality Availability Access Control
Potential Impacts:
Read Application Data Gain Privileges Or Assume Identity Execute Unauthorized Code Or Commands
Applicable Platforms
Technologies: ICS/OT, Not Technology-Specific, Web Based
Likelihood of Exploit: High
View CWE Details
295

Improper Certificate Validation

Draft
Abstraction: Base Structure: Simple
Common Consequences
Security Scopes Affected:
Integrity Authentication
Potential Impacts:
Bypass Protection Mechanism Gain Privileges Or Assume Identity
Applicable Platforms
Technologies: Mobile, Not Technology-Specific, Web Based
View CWE Details
https://github.com/smallstep/certificates/commit/e6da031d51…
https://github.com/smallstep/certificates/commit/e6da031d5125cfd99fe9a26f74bb41…
https://github.com/smallstep/certificates/releases/tag/v0.3…
https://github.com/smallstep/certificates/releases/tag/v0.30.0-rc7
https://github.com/smallstep/certificates/security/advisori…
https://github.com/smallstep/certificates/security/advisories/GHSA-q4r8-xm5f-56…