{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-30836", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2026-03-05T21:06:44.606Z", "datePublished": "2026-03-19T20:37:05.757Z", "dateUpdated": "2026-03-25T14:16:09.012Z"}, "containers": {"cna": {"title": "Step CA: Unauthenticated Certificate Issuance via SCEP UpdateReq (MessageType=18)", "problemTypes": [{"descriptions": [{"cweId": "CWE-287", "lang": "en", "description": "CWE-287: Improper Authentication", "type": "CWE"}]}, {"descriptions": [{"cweId": "CWE-295", "lang": "en", "description": "CWE-295: Improper Certificate Validation", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 10, "baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "CHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:N", "version": "3.1"}}], "references": [{"name": "https://github.com/smallstep/certificates/security/advisories/GHSA-q4r8-xm5f-56gw", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/smallstep/certificates/security/advisories/GHSA-q4r8-xm5f-56gw"}, {"name": "https://github.com/smallstep/certificates/commit/e6da031d5125cfd99fe9a26f74bb41e4dacca4ef", "tags": ["x_refsource_MISC"], "url": "https://github.com/smallstep/certificates/commit/e6da031d5125cfd99fe9a26f74bb41e4dacca4ef"}, {"name": "https://github.com/smallstep/certificates/releases/tag/v0.30.0-rc7", "tags": ["x_refsource_MISC"], "url": "https://github.com/smallstep/certificates/releases/tag/v0.30.0-rc7"}], "affected": [{"vendor": "smallstep", "product": "certificates", "versions": [{"version": "< 0.30.0", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-03-19T20:37:05.757Z"}, "descriptions": [{"lang": "en", "value": "Step CA is an online certificate authority for secure, automated certificate management for DevOps. Versions 0.30.0-rc6 and below do not safeguard against unauthenticated certificate issuance through the SCEP UpdateReq. This issue has been fixed in version 0.30.0."}], "source": {"advisory": "GHSA-q4r8-xm5f-56gw", "discovery": "UNKNOWN"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-03-25T14:15:50.363882Z", "id": "CVE-2026-30836", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "total"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-25T14:16:09.012Z"}}]}}

{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-30836", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2026-03-05T21:06:44.606Z", "datePublished": "2026-03-19T20:37:05.757Z", "dateUpdated": "2026-03-25T14:16:09.012Z"}, "containers": {"cna": {"title": "Step CA: Unauthenticated Certificate Issuance via SCEP UpdateReq (MessageType=18)", "problemTypes": [{"descriptions": [{"cweId": "CWE-287", "lang": "en", "description": "CWE-287: Improper Authentication", "type": "CWE"}]}, {"descriptions": [{"cweId": "CWE-295", "lang": "en", "description": "CWE-295: Improper Certificate Validation", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 10, "baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "CHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:N", "version": "3.1"}}], "references": [{"name": "https://github.com/smallstep/certificates/security/advisories/GHSA-q4r8-xm5f-56gw", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/smallstep/certificates/security/advisories/GHSA-q4r8-xm5f-56gw"}, {"name": "https://github.com/smallstep/certificates/commit/e6da031d5125cfd99fe9a26f74bb41e4dacca4ef", "tags": ["x_refsource_MISC"], "url": "https://github.com/smallstep/certificates/commit/e6da031d5125cfd99fe9a26f74bb41e4dacca4ef"}, {"name": "https://github.com/smallstep/certificates/releases/tag/v0.30.0-rc7", "tags": ["x_refsource_MISC"], "url": "https://github.com/smallstep/certificates/releases/tag/v0.30.0-rc7"}], "affected": [{"vendor": "smallstep", "product": "certificates", "versions": [{"version": "< 0.30.0", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-03-19T20:37:05.757Z"}, "descriptions": [{"lang": "en", "value": "Step CA is an online certificate authority for secure, automated certificate management for DevOps. Versions 0.30.0-rc6 and below do not safeguard against unauthenticated certificate issuance through the SCEP UpdateReq. This issue has been fixed in version 0.30.0."}], "source": {"advisory": "GHSA-q4r8-xm5f-56gw", "discovery": "UNKNOWN"}}, "adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-30836", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "total"}], "version": "2.0.3", "timestamp": "2026-03-25T14:15:50.363882Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-25T14:15:54.392Z"}}]}}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:smallstep:step-ca:*:*:*:*:*:go:*:*", "matchCriteriaId": "55DF2401-9601-4B51-9AB2-86A19579AC41", "versionEndExcluding": "0.30.0", "vulnerable": true}, {"criteria": "cpe:2.3:a:smallstep:step-ca:0.30.0:rc1:*:*:*:go:*:*", "matchCriteriaId": "D49EF50A-2928-4577-A5AD-0CD81C9E1AE8", "vulnerable": true}, {"criteria": "cpe:2.3:a:smallstep:step-ca:0.30.0:rc2:*:*:*:go:*:*", "matchCriteriaId": "E238C89C-4A97-4FA1-8DE0-9FE51CDF59B9", "vulnerable": true}, {"criteria": "cpe:2.3:a:smallstep:step-ca:0.30.0:rc3:*:*:*:go:*:*", "matchCriteriaId": "36F90BB4-B07E-496D-B325-A4D9365E251C", "vulnerable": true}, {"criteria": "cpe:2.3:a:smallstep:step-ca:0.30.0:rc4:*:*:*:go:*:*", "matchCriteriaId": "0307DFDF-481F-4AAB-B763-6DB8B6C7A26E", "vulnerable": true}, {"criteria": "cpe:2.3:a:smallstep:step-ca:0.30.0:rc5:*:*:*:go:*:*", "matchCriteriaId": "D90ACCF3-B841-424A-ADA8-C957ED6A900F", "vulnerable": true}, {"criteria": "cpe:2.3:a:smallstep:step-ca:0.30.0:rc6:*:*:*:go:*:*", "matchCriteriaId": "F5AACCF3-DE86-4453-98DD-9D42D1164C3B", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "Step CA is an online certificate authority for secure, automated certificate management for DevOps. Versions 0.30.0-rc6 and below do not safeguard against unauthenticated certificate issuance through the SCEP UpdateReq. This issue has been fixed in version 0.30.0."}, {"lang": "es", "value": "Step CA es una autoridad de certificaci\u00f3n en l\u00ednea para la gesti\u00f3n de certificados segura y automatizada para DevOps. Las versiones 0.30.0-rc6 e inferiores no protegen contra la emisi\u00f3n de certificados no autenticada a trav\u00e9s de la solicitud SCEP UpdateReq. Este problema ha sido corregido en la versi\u00f3n 0.30.0."}], "id": "CVE-2026-30836", "lastModified": "2026-04-27T13:41:54.727", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 10.0, "baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "CHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:N", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 5.8, "source": "security-advisories@github.com", "type": "Secondary"}]}, "published": "2026-03-19T21:17:09.783", "references": [{"source": "security-advisories@github.com", "tags": ["Patch"], "url": "https://github.com/smallstep/certificates/commit/e6da031d5125cfd99fe9a26f74bb41e4dacca4ef"}, {"source": "security-advisories@github.com", "tags": ["Release Notes"], "url": "https://github.com/smallstep/certificates/releases/tag/v0.30.0-rc7"}, {"source": "security-advisories@github.com", "tags": ["Vendor Advisory"], "url": "https://github.com/smallstep/certificates/security/advisories/GHSA-q4r8-xm5f-56gw"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-287"}, {"lang": "en", "value": "CWE-295"}], "source": "security-advisories@github.com", "type": "Primary"}, {"description": [{"lang": "en", "value": "CWE-295"}], "source": "nvd@nist.gov", "type": "Primary"}]}

{"bugzilla": {"description": "github.com/smallstep/certificates: Step CA: Unauthenticated certificate issuance via SCEP Update Request", "id": "2449211", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2449211"}, "csaw": false, "cvss3": {"cvss3_base_score": "10.0", "cvss3_scoring_vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:N", "status": "draft"}, "cwe": "CWE-306", "details": ["A flaw was found in Step CA, an online certificate authority. A remote attacker can exploit this vulnerability by sending an unauthenticated SCEP (Simple Certificate Enrollment Protocol) Update Request. This allows the attacker to issue unauthorized certificates, potentially leading to a compromise of the certificate management system and enabling further attacks such as impersonation or man-in-the-middle attacks."], "name": "CVE-2026-30836", "public_date": "2026-03-19T20:37:05Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2026-30836\nhttps://nvd.nist.gov/vuln/detail/CVE-2026-30836\nhttps://github.com/smallstep/certificates/commit/e6da031d5125cfd99fe9a26f74bb41e4dacca4ef\nhttps://github.com/smallstep/certificates/compare/v0.30.0-rc6...v0.30.0-rc7\nhttps://github.com/smallstep/certificates/releases/tag/v0.30.0-rc7\nhttps://github.com/smallstep/certificates/security/advisories/GHSA-q4r8-xm5f-56gw"], "statement": "No Red Hat products are impacted. The affected component (Step CA) is not used or provided by any products.", "threat_severity": "Critical"}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[0,0.30.0)"}}], "enrichment": {"confidence": 100.0, "confidence_source": "matching", "scores": [{"score": 100.0, "source": "matching"}]}, "original": {"product": "certificates", "source": "cna", "vendor": "smallstep"}, "product": "certificates", "vendor": "smallstep"}], "analysis": {"en": {"generated_at": "2026-03-21T06:48:38.361945+00:00", "value": {"mitigation_remediation": ["Upgrade to smallstep certificates version 0.30.0\u2011rc7 or later."], "summary": {"action": "Immediate Patch", "impact": "Unauthorized Certificate Issuance"}, "threat_synthesis": {"affected_systems": "The impacted software is smallstep certificates. Any installation of version 0.30.0\u2011rc6 or earlier is vulnerable. Version 0.30.0\u2011rc7 and later contain the fix, as released in the 0.30.0\u2011rc7 release cycle.", "description_and_impact": "This flaw in Step CA allows an attacker to request and receive a new X.509 certificate via the SCEP UpdateReq message without any authentication. The vulnerability requires no credentials, enabling the creation of certificates that can carry any desired identity. By issuing such forged certificates, an adversary can impersonate authentic services, facilitating man\u2011in\u2011the\u2011middle or phishing attacks, and undermining TLS trust in the environment. Root causes include an authentication bypass (CWE\u2011287), unprotected use of certificate signing (CWE\u2011295), and insecure default configuration (CWE\u2011306).", "risk_and_exploitability": "The CVSS score is 10, indicating the maximum possible severity. The EPSS score is below 1\u2009%, suggesting that, although the vulnerability is severe, the likelihood of exploitation in the wild is currently low. It is not listed in the CISA KEV catalog. The likely attack vector is network\u2011based, targeting the SCEP endpoint through HTTP or HTTPS traffic. As authentication is not required, any party able to communicate with the SCEP interface can exploit this flaw. The impact is potentially system\u2011wide, as any certificate issued may be trusted by all services that rely on the certificate authority."}}}}, "created": "2026-03-20T08:56:12.455311+00:00", "updated": "2026-03-25T11:55:00.170903+00:00", "vendors": ["smallstep", "smallstep$PRODUCT$certificates"]}