← Back

CVE-2026-30836

nvd nist
Published: Mar 19, 2026Modified: Apr 27, 2026

JSON object

Loading...
10.0
Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:N
Exploitability: 3.9 / Impact: 5.8
Source: security-advisories@github.com (Secondary)

Description

Step CA is an online certificate authority for secure, automated certificate management for DevOps. Versions 0.30.0-rc6 and below do not safeguard against unauthenticated certificate issuance through the SCEP UpdateReq. This issue has been fixed in version 0.30.0.

Affected (7)

Products: Smallstep: Step Ca
Smallstep
1 product
Step Ca
Configuration A
7 vulnerable
Vulnerable SoftwareAffected Versions
Smallstep
Step Ca
Before 0.30.0
Step Ca
Version 0.30.0 rc1
Step Ca
Version 0.30.0 rc2
Step Ca
Version 0.30.0 rc3
Step Ca
Version 0.30.0 rc4
Step Ca
Version 0.30.0 rc5
Step Ca
Version 0.30.0 rc6

Related CWEs

CWE-287
Improper Authentication
When an actor claims to have a given identity, the product does not prove or insufficiently proves that the claim is correct.
CWE-295
Improper Certificate Validation
The product does not validate, or incorrectly validates, a certificate.

References (3)

Source: security-advisories@github.com
Patch
Source: security-advisories@github.com
Release Notes
Source: security-advisories@github.com
Vendor Advisory

Timeline

No history available yet.