CVE-2026-30836

CVSS v3.1

Critical

Vector

AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:N

Name of the Vulnerable Software and Affected Versions Step CA versions 0.30.0-rc6 and below

Description Step CA is an online certificate authority designed for secure, automated certificate management. A flaw exists where the software does not adequately protect against unauthenticated certificate issuance through the SCEP UpdateReq (MessageType=18). This allows attackers to potentially obtain valid certificates for any domain without providing credentials. The SCEP UpdateReq bypasses all authentication checks within Step CA.

Recommendations Versions prior to 0.30.0 should be upgraded to version 0.30.0.

Exploit

Fix

Improper Certificate Validation

Improper Authentication

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-295CWE-287

Related Identifiers

CLEANSTART-2026-CE02533

CLEANSTART-2026-CV29689

CLEANSTART-2026-UZ79996

CVE-2026-30836

GHSA-Q4R8-XM5F-56GW

GO-2026-4775

SUSE-SU-2026:1135-1

Affected Products

Step Ca

CVE-2026-30836

Weakness Enumeration

Related Identifiers

Affected Products

References · 192