CVE-2026-30836

Smallstep · Step CA

Smallstep Step CA versions below 0.30.0 are vulnerable to an improper authentication flaw in the SCEP UpdateReq function, allowing unauthenticated attackers to issue certificates.

Executive summary

A critical authentication bypass in Smallstep Step CA allows unauthenticated attackers to issue unauthorized digital certificates, potentially undermining the entire PKI infrastructure.

Vulnerability

This vulnerability is caused by a failure to properly authenticate requests during the SCEP UpdateReq process. An unauthenticated attacker can exploit this to perform unauthorized certificate issuance, which violates the fundamental security assumptions of the certificate authority.

Business impact

The ability for an unauthenticated actor to issue certificates poses a catastrophic risk to the organization's PKI infrastructure. With a CVSS score of 10.0, this vulnerability could allow attackers to perform man-in-the-middle attacks, impersonate legitimate services, or decrypt secure communications, leading to total loss of trust in the system.

Remediation

Immediate Action: Update Smallstep Step CA to version 0.30.0 or later to ensure proper authentication is enforced for all certificate requests.

Proactive Monitoring: Audit existing certificate issuance logs for any unauthorized or unexpected certificate requests that occurred prior to the update.

Compensating Controls: Restrict access to the SCEP endpoint at the network level using firewalls or mutual TLS (mTLS) to ensure only authorized entities can interact with the service.

Exploitation status

Public Exploit Available: False

Analyst recommendation

This vulnerability represents the highest level of risk to security infrastructure. Organizations must upgrade to version 0.30.0 immediately and conduct a thorough audit of their certificate store to ensure no unauthorized certificates have been issued.