CVE-2026-30836

moderate-risk
Published 2026-03-19

Step CA is an online certificate authority for secure, automated certificate management for DevOps. Versions 0.30.0-rc6 and below do not safeguard against unauthenticated certificate issuance through the SCEP UpdateReq. This issue has been fixed in version 0.30.0.

Do I need to act?

-
0.01% chance of exploitation
EPSS score — low exploit probability
-
Not on CISA KEV list
No confirmed active exploitation reported to CISA
+
Fix available
Upgrade to: e6da031d5125cfd99fe9a26f74bb41e4dacca4ef, d34619c55e5cd46ce08d8bdb8c846df2c4d8aca0
10
CVSS 10.0/10 Critical
NETWORK / LOW complexity

Affected Products (7)

Step-Ca
Step-Ca
Step-Ca
Step-Ca
Step-Ca
Step-Ca
Step-Ca

Affected Vendors

Smallstep

References (3)

Patch https://github.com/smallstep/certificates/commit/e6da031d5125cfd99fe9a26f74bb41e...
Release Notes https://github.com/smallstep/certificates/releases/tag/v0.30.0-rc7
Vendor Advisory https://github.com/smallstep/certificates/security/advisories/GHSA-q4r8-xm5f-56g...
47
/ 100
moderate-risk
Severity 33/34 · Critical
Exploitability 0/34 · Minimal
Exposure 14/34 · Moderate