10

CVE-2026-30836

Step CA: Unauthenticated Certificate Issuance via SCEP UpdateReq (MessageType=18)

Step CA is an online certificate authority for secure, automated certificate management for DevOps. Versions 0.30.0-rc6 and below do not safeguard against unauthenticated certificate issuance through the SCEP UpdateReq. This issue has been fixed in version 0.30.0.
Daten sind bereitgestellt durch National Vulnerability Database (NVD)
SmallstepStep-ca SwPlatformgo Version < 0.30.0
SmallstepStep-ca Version0.30.0 Updaterc1 SwPlatformgo
SmallstepStep-ca Version0.30.0 Updaterc2 SwPlatformgo
SmallstepStep-ca Version0.30.0 Updaterc3 SwPlatformgo
SmallstepStep-ca Version0.30.0 Updaterc4 SwPlatformgo
SmallstepStep-ca Version0.30.0 Updaterc5 SwPlatformgo
SmallstepStep-ca Version0.30.0 Updaterc6 SwPlatformgo
Zu dieser CVE wurde keine Warnung gefunden.
EPSS Metriken
Typ Quelle Score Percentile
EPSS FIRST.org 0.3% 0.21
CVSS Metriken
Quelle Base Score Exploit Score Impact Score Vector String
security-advisories@github.com 10 3.9 5.8
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:N
CWE-287 Improper Authentication

When an actor claims to have a given identity, the product does not prove or insufficiently proves that the claim is correct.

CWE-295 Improper Certificate Validation

The product does not validate, or incorrectly validates, a certificate.

https://github.com/smallstep/certificates/security/advisories/GHSA-q4r8-xm5f-56gw
Vendor Advisory
https://github.com/smallstep/certificates/commit/e6da031d5125cfd99fe9a26f74bb41e4dacca4ef
Patch
https://github.com/smallstep/certificates/releases/tag/v0.30.0-rc7
Release Notes