Description
Step CA is an online certificate authority for secure, automated certificate management for DevOps. Versions 0.30.0-rc6 and below do not safeguard against unauthenticated certificate issuance through the SCEP UpdateReq. This issue has been fixed in version 0.30.0.
Published: 2026-03-19
Score: 10 Critical
EPSS: < 1% Very Low
KEV: No
Impact: Unauthorized Certificate Issuance
Action: Immediate Patch
AI Analysis

Impact

This flaw in Step CA allows an attacker to request and receive a new X.509 certificate via the SCEP UpdateReq message without any authentication. The vulnerability requires no credentials, enabling the creation of certificates that can carry any desired identity. By issuing such forged certificates, an adversary can impersonate authentic services, facilitating man‑in‑the‑middle or phishing attacks, and undermining TLS trust in the environment. Root causes include an authentication bypass (CWE‑287), unprotected use of certificate signing (CWE‑295), and insecure default configuration (CWE‑306).

Affected Systems

The impacted software is smallstep certificates. Any installation of version 0.30.0‑rc6 or earlier is vulnerable. Version 0.30.0‑rc7 and later contain the fix, as released in the 0.30.0‑rc7 release cycle.

Risk and Exploitability

The CVSS score is 10, indicating the maximum possible severity. The EPSS score is below 1 %, suggesting that, although the vulnerability is severe, the likelihood of exploitation in the wild is currently low. It is not listed in the CISA KEV catalog. The likely attack vector is network‑based, targeting the SCEP endpoint through HTTP or HTTPS traffic. As authentication is not required, any party able to communicate with the SCEP interface can exploit this flaw. The impact is potentially system‑wide, as any certificate issued may be trusted by all services that rely on the certificate authority.

Generated by OpenCVE AI on March 21, 2026 at 06:48 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade to smallstep certificates version 0.30.0‑rc7 or later.

Generated by OpenCVE AI on March 21, 2026 at 06:48 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-q4r8-xm5f-56gw step-ca has Unauthenticated Certificate Issuance via SCEP UpdateReq (MessageType=18)
History

Wed, 25 Mar 2026 15:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Sat, 21 Mar 2026 05:30:00 +0000

Type Values Removed Values Added
Weaknesses CWE-306
References
Metrics threat_severity

None

 threat_severity

Critical

Fri, 20 Mar 2026 09:00:00 +0000

Type Values Removed Values Added
First Time appeared Smallstep
Smallstep certificates
Vendors & Products Smallstep
Smallstep certificates

Thu, 19 Mar 2026 20:45:00 +0000

Type Values Removed Values Added
Description Step CA is an online certificate authority for secure, automated certificate management for DevOps. Versions 0.30.0-rc6 and below do not safeguard against unauthenticated certificate issuance through the SCEP UpdateReq. This issue has been fixed in version 0.30.0.
Title Step CA: Unauthenticated Certificate Issuance via SCEP UpdateReq (MessageType=18)
Weaknesses CWE-287
CWE-295
References
Metrics cvssV3_1

{'score': 10, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:N'}

Subscriptions

Smallstep Certificates
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-03-25T14:16:09.012Z

Reserved: 2026-03-05T21:06:44.606Z

Link: CVE-2026-30836

cve-icon Vulnrichment

Updated: 2026-03-25T14:15:54.392Z

cve-icon NVD

Status : Awaiting Analysis

Published: 2026-03-19T21:17:09.783

Modified: 2026-03-20T13:39:46.493

Link: CVE-2026-30836

cve-icon Redhat

Severity : Critical

Publid Date: 2026-03-19T20:37:05Z

Links: CVE-2026-30836 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-03-25T11:55:00Z

Weaknesses