CVE-2026-30836 CRITICAL

CVE-2026-30836: Step CA: Unauthenticated Certificate Issuance via SCEP UpdateReq (MessageType=18)

Vendor Smallstep
Product certificates
Weakness CWE-287 · Improper authentication
Published March 19, 2026
Last update March 25, 2026

CVSS base score

10.0/10
Attack vector Network
Attack complexity Low
Privileges required None
User interaction None
Confidentiality High
Integrity High

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:N

What the vulnerability does

01Description

Step CA is an online certificate authority for secure, automated certificate management for DevOps. Versions 0.30.0-rc6 and below do not safeguard against unauthenticated certificate issuance through the SCEP UpdateReq. This issue has been fixed in version 0.30.0.

Key dates

02Disclosure timeline

March 19, 2026 CVE published
March 25, 2026 Record updated