CVE-2026-30836

{"id": "CVE-2026-30836", "cveTags": [], "metrics": {"cvssMetricV31": [{"type": "Secondary", "source": "security-advisories@github.com", "cvssData": {"scope": "CHANGED", "version": "3.1", "baseScore": 10.0, "attackVector": "NETWORK", "baseSeverity": "CRITICAL", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:N", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}, "impactScore": 5.8, "exploitabilityScore": 3.9}]}, "published": "2026-03-19T21:17:09.783", "references": [{"url": "https://github.com/smallstep/certificates/commit/e6da031d5125cfd99fe9a26f74bb41e4dacca4ef", "tags": ["Patch"], "source": "security-advisories@github.com"}, {"url": "https://github.com/smallstep/certificates/releases/tag/v0.30.0-rc7", "tags": ["Release Notes"], "source": "security-advisories@github.com"}, {"url": "https://github.com/smallstep/certificates/security/advisories/GHSA-q4r8-xm5f-56gw", "tags": ["Vendor Advisory"], "source": "security-advisories@github.com"}], "vulnStatus": "Analyzed", "weaknesses": [{"type": "Primary", "source": "security-advisories@github.com", "description": [{"lang": "en", "value": "CWE-287"}, {"lang": "en", "value": "CWE-295"}]}, {"type": "Primary", "source": "nvd@nist.gov", "description": [{"lang": "en", "value": "CWE-295"}]}], "descriptions": [{"lang": "en", "value": "Step CA is an online certificate authority for secure, automated certificate management for DevOps. Versions 0.30.0-rc6 and below do not safeguard against unauthenticated certificate issuance through the SCEP UpdateReq. This issue has been fixed in version 0.30.0."}, {"lang": "es", "value": "Step CA es una autoridad de certificaci\u00f3n en l\u00ednea para la gesti\u00f3n de certificados segura y automatizada para DevOps. Las versiones 0.30.0-rc6 e inferiores no protegen contra la emisi\u00f3n de certificados no autenticada a trav\u00e9s de la solicitud SCEP UpdateReq. Este problema ha sido corregido en la versi\u00f3n 0.30.0."}], "lastModified": "2026-04-27T13:41:54.727", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:smallstep:step-ca:*:*:*:*:*:go:*:*", "vulnerable": true, "matchCriteriaId": "55DF2401-9601-4B51-9AB2-86A19579AC41", "versionEndExcluding": "0.30.0"}, {"criteria": "cpe:2.3:a:smallstep:step-ca:0.30.0:rc1:*:*:*:go:*:*", "vulnerable": true, "matchCriteriaId": "D49EF50A-2928-4577-A5AD-0CD81C9E1AE8"}, {"criteria": "cpe:2.3:a:smallstep:step-ca:0.30.0:rc2:*:*:*:go:*:*", "vulnerable": true, "matchCriteriaId": "E238C89C-4A97-4FA1-8DE0-9FE51CDF59B9"}, {"criteria": "cpe:2.3:a:smallstep:step-ca:0.30.0:rc3:*:*:*:go:*:*", "vulnerable": true, "matchCriteriaId": "36F90BB4-B07E-496D-B325-A4D9365E251C"}, {"criteria": "cpe:2.3:a:smallstep:step-ca:0.30.0:rc4:*:*:*:go:*:*", "vulnerable": true, "matchCriteriaId": "0307DFDF-481F-4AAB-B763-6DB8B6C7A26E"}, {"criteria": "cpe:2.3:a:smallstep:step-ca:0.30.0:rc5:*:*:*:go:*:*", "vulnerable": true, "matchCriteriaId": "D90ACCF3-B841-424A-ADA8-C957ED6A900F"}, {"criteria": "cpe:2.3:a:smallstep:step-ca:0.30.0:rc6:*:*:*:go:*:*", "vulnerable": true, "matchCriteriaId": "F5AACCF3-DE86-4453-98DD-9D42D1164C3B"}], "operator": "OR"}]}], "sourceIdentifier": "security-advisories@github.com"}