{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-30836", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2026-03-05T21:06:44.606Z", "datePublished": "2026-03-19T20:37:05.757Z", "dateUpdated": "2026-03-19T20:37:05.757Z"}, "containers": {"cna": {"title": "Step CA: Unauthenticated Certificate Issuance via SCEP UpdateReq (MessageType=18)", "problemTypes": [{"descriptions": [{"cweId": "CWE-287", "lang": "en", "description": "CWE-287: Improper Authentication", "type": "CWE"}]}, {"descriptions": [{"cweId": "CWE-295", "lang": "en", "description": "CWE-295: Improper Certificate Validation", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 10, "baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "CHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:N", "version": "3.1"}}], "references": [{"name": "https://github.com/smallstep/certificates/security/advisories/GHSA-q4r8-xm5f-56gw", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/smallstep/certificates/security/advisories/GHSA-q4r8-xm5f-56gw"}, {"name": "https://github.com/smallstep/certificates/commit/e6da031d5125cfd99fe9a26f74bb41e4dacca4ef", "tags": ["x_refsource_MISC"], "url": "https://github.com/smallstep/certificates/commit/e6da031d5125cfd99fe9a26f74bb41e4dacca4ef"}, {"name": "https://github.com/smallstep/certificates/releases/tag/v0.30.0-rc7", "tags": ["x_refsource_MISC"], "url": "https://github.com/smallstep/certificates/releases/tag/v0.30.0-rc7"}], "affected": [{"vendor": "smallstep", "product": "certificates", "versions": [{"version": "< 0.30.0", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-03-19T20:37:05.757Z"}, "descriptions": [{"lang": "en", "value": "Step CA is an online certificate authority for secure, automated certificate management for DevOps. Versions 0.30.0-rc6 and below do not safeguard against unauthenticated certificate issuance through the SCEP UpdateReq. This issue has been fixed in version 0.30.0."}], "source": {"advisory": "GHSA-q4r8-xm5f-56gw", "discovery": "UNKNOWN"}}}}

{}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "Step CA is an online certificate authority for secure, automated certificate management for DevOps. Versions 0.30.0-rc6 and below do not safeguard against unauthenticated certificate issuance through the SCEP UpdateReq. This issue has been fixed in version 0.30.0."}], "id": "CVE-2026-30836", "lastModified": "2026-03-20T13:39:46.493", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 10.0, "baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "CHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:N", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 5.8, "source": "security-advisories@github.com", "type": "Secondary"}]}, "published": "2026-03-19T21:17:09.783", "references": [{"source": "security-advisories@github.com", "url": "https://github.com/smallstep/certificates/commit/e6da031d5125cfd99fe9a26f74bb41e4dacca4ef"}, {"source": "security-advisories@github.com", "url": "https://github.com/smallstep/certificates/releases/tag/v0.30.0-rc7"}, {"source": "security-advisories@github.com", "url": "https://github.com/smallstep/certificates/security/advisories/GHSA-q4r8-xm5f-56gw"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Awaiting Analysis", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-287"}, {"lang": "en", "value": "CWE-295"}], "source": "security-advisories@github.com", "type": "Primary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[0,0.30.0)"}}], "enrichment": {"confidence": 100.0, "confidence_source": "matching", "scores": [{"score": 100.0, "source": "matching"}]}, "original": {"product": "certificates", "source": "cna", "vendor": "smallstep"}, "product": "certificates", "vendor": "smallstep"}], "analysis": {"en": {"generated_at": "2026-03-19T21:20:23.802925+00:00", "value": {"mitigation_remediation": ["Upgrade to Smallstep \u2018certificates\u2019 v0.30.0 or later"], "summary": {"action": "Immediate Patch", "impact": "Unauthorized Certificate Issuance"}, "threat_synthesis": {"affected_systems": "Affected software is the Smallstep \u2018certificates\u2019 online certificate authority. All releases up to and including version 0.30.0\u2011rc6 are vulnerable. Version 0.30.0 contains the fix.", "description_and_impact": "The vulnerability allows an unauthenticated SCEP UpdateReq message (MessageType=18) to trigger the creation of a new certificate, effectively enabling an attacker to obtain a valid certificate from the Step CA system without proper authentication. The flaw is identified as a broken authentication weakness (CWE-287) combined with an improper default credential handling (CWE-295). Such unauthorized issuance permits an attacker to forge certificates that can be used for impersonation, man\u2011in\u2011the\u2011middle attacks, or to bypass authentication mechanisms relying on certificates, thereby compromising confidentiality, integrity, and availability of systems relying on the CA.", "risk_and_exploitability": "The CVSS score of 10 indicates critical severity. No exploit probability score is available, but the flaw does not require any privileged input from the targeted system. An attacker can simply send an unauthenticated SCEP UpdateReq to any instance of the vulnerable CA over the network, directly obtaining a rogue certificate. The vulnerability is not currently listed in the CISA KEV catalog, but its impact and high CVSS score warrant immediate attention."}}}}, "created": "2026-03-20T08:56:12.455311+00:00", "updated": "2026-03-20T11:06:22.586305+00:00", "vendors": ["smallstep", "smallstep$PRODUCT$certificates"]}