CVE-2026-30836
Unauthenticated Certificate Issuance in Step CA SCEP Component
Publication date: 2026-03-19
Last updated on: 2026-04-27
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| smallstep | step-ca | to 0.30.0 (exc) |
| smallstep | step-ca | 0.30.0 |
| smallstep | step-ca | 0.30.0 |
| smallstep | step-ca | 0.30.0 |
| smallstep | step-ca | 0.30.0 |
| smallstep | step-ca | 0.30.0 |
| smallstep | step-ca | 0.30.0 |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-287 | When an actor claims to have a given identity, the product does not prove or insufficiently proves that the claim is correct. |
| CWE-295 | The product does not validate, or incorrectly validates, a certificate. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2026-30836 is a critical security vulnerability in Step CA, an online certificate authority used for automated certificate management. Versions 0.30.0-rc6 and earlier do not properly protect against unauthenticated certificate issuance via the SCEP UpdateReq message. This means an attacker can request and obtain certificates without proper authentication.
The vulnerability stems from improper authentication (CWE-287) and improper certificate validation (CWE-295), allowing an unauthenticated remote attacker to exploit the system.
How can this vulnerability impact me? :
This vulnerability has a maximum severity CVSS score of 10.0, indicating critical impact. An attacker can remotely exploit it without any privileges or user interaction.
The impact includes significant unauthorized disclosure of confidential information and unauthorized modification of data, compromising both confidentiality and integrity of the system.
However, it does not affect system availability.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
I don't know
How can this vulnerability be detected on my network or system? Can you suggest some commands?
The vulnerability involves unauthenticated certificate issuance through the SCEP UpdateReq message type in Step CA versions 0.30.0-rc6 and below. Detection can focus on monitoring network traffic for unauthorized or unexpected SCEP UpdateReq messages being sent to the Step CA server.
Since the vulnerability is related to improper handling of SCEP message types, especially UpdateReq, you can detect attempts by inspecting SCEP protocol traffic on the network or logs on the Step CA server for such messages.
Specific commands are not explicitly provided in the available resources, but general suggestions include:
- Use network packet capture tools like tcpdump or Wireshark to filter for SCEP traffic (usually on UDP port 80 or 443 depending on configuration) and look for UpdateReq message types.
- Example tcpdump command to capture SCEP traffic: tcpdump -i <interface> port 80 or port 443 -w scep_traffic.pcap
- Analyze captured packets with Wireshark to identify SCEP UpdateReq messages.
- Check Step CA server logs for any unexpected or unauthenticated certificate issuance attempts or errors related to SCEP message processing.
Note: The commit related to this CVE added integration tests and improved handling of SCEP message types, but no direct detection commands are documented.
What immediate steps should I take to mitigate this vulnerability?
The primary and immediate mitigation step is to upgrade Step CA to version 0.30.0 or later, as this version includes the fix that prevents unauthenticated certificate issuance via the SCEP UpdateReq message.
Until the upgrade can be performed, consider restricting network access to the Step CA server to trusted clients only, to reduce the risk of exploitation.
Additionally, monitor logs and network traffic for suspicious SCEP UpdateReq messages and unauthorized certificate issuance attempts.
The vulnerability is critical with a CVSS score of 10.0, so prompt action is strongly recommended.