CVE-2026-30836

EUVD-2026-13200
Step CA is an online certificate authority for secure, automated certificate management for DevOps. Versions 0.30.0-rc6 and below do not safeguard against unauthenticated certificate issuance through the SCEP UpdateReq. This issue has been fixed in version 0.30.0.
ProviderTypeBase ScoreAtk. VectorAtk. ComplexityPriv. RequiredVector
NISTPrimary
10 CRITICAL
NETWORK
LOW
NONE
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:N
Base Score
CVSS 3.x
EPSS Score
Percentile: 1%
Affected Products (NVD)
VendorProductVersion
smallstepstep-ca
𝑥
< 0.30.0
smallstepstep-ca
0.30.0:rc1
smallstepstep-ca
0.30.0:rc2
smallstepstep-ca
0.30.0:rc3
smallstepstep-ca
0.30.0:rc4
smallstepstep-ca
0.30.0:rc5
smallstepstep-ca
0.30.0:rc6
𝑥
= Vulnerable software versions
Ubuntu logo
Ubuntu Releases
Ubuntu Product
Codename
golang-github-smallstep-certificates
jammy
dne
noble
needs-triage
questing
needs-triage
resolute
needs-triage
Common Weakness Enumeration
References
https://github.com/smallstep/certificates/commit/e6da031d5125cfd99fe9a26f74bb41e4dacca4ef
https://github.com/smallstep/certificates/releases/tag/v0.30.0-rc7
https://github.com/smallstep/certificates/security/advisories/GHSA-q4r8-xm5f-56gw