CVE-2026-30836
Published: 19 March 2026
Summary
CVE-2026-30836 is a critical-severity Improper Authentication (CWE-287) vulnerability in Smallstep Step-Ca. Its CVSS base score is 10.0 (Critical).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 21.1th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 AC-14 (Permitted Actions Without Identification or Authentication) and AC-3 (Access Enforcement).
Deeper analysis
Step CA, an online certificate authority designed for secure, automated certificate management in DevOps environments, contains a critical vulnerability in versions 0.30.0-rc6 and prior. Designated as CVE-2026-30836 and published on 2026-03-19, the flaw (mapped to CWE-287: Improper Authentication and CWE-295: Improper Certificate Validation) fails to prevent unauthenticated certificate issuance via the SCEP UpdateReq endpoint. This earns a maximum CVSS v3.1 base score of 10.0 (AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:N), indicating severe risk due to its network accessibility, low attack complexity, and lack of prerequisites.
Unauthenticated attackers with network access to a vulnerable Step CA instance can exploit this by sending crafted SCEP UpdateReq requests, bypassing authentication controls to issue arbitrary certificates. Successful exploitation grants high-impact confidentiality and integrity violations, enabling certificate-based impersonation, man-in-the-middle attacks, or unauthorized access to systems trusting those certificates, with scope expanded beyond the component.
The issue is addressed in Step CA version 0.30.0, with the fixing commit available at https://github.com/smallstep/certificates/commit/e6da031d5125cfd99fe9a26f74bb41e4dacca4ef and release notes at https://github.com/smallstep/certificates/releases/tag/v0.30.0-rc7. Security practitioners should upgrade immediately to patched versions, as detailed in the GitHub Security Advisory at https://github.com/smallstep/certificates/security/advisories/GHSA-q4r8-xm5f-56gw, and review SCEP configurations for exposure.
OWASP Top 10 for Web (2025)
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2026-13200
Vulnerability details
Step CA is an online certificate authority for secure, automated certificate management for DevOps. Versions 0.30.0-rc6 and below do not safeguard against unauthenticated certificate issuance through the SCEP UpdateReq. This issue has been fixed in version 0.30.0.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Vulnerability in public SCEP endpoint enables unauthenticated exploitation of the CA (T1190) to forge valid authentication certificates (T1649) for impersonation and MITM attacks (T1557).
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Access Enforcement requires the system to enforce approved authorizations, directly preventing unauthenticated certificate issuance via the SCEP UpdateReq endpoint.
Permitted Actions Without Identification or Authentication explicitly restricts and documents actions allowable without authentication, ensuring certificate issuance requires identification and authentication.
Identification and Authentication for non-organizational users mandates unique identification and authentication for external entities, blocking unauthorized attackers from exploiting the SCEP endpoint.