2449211 – (CVE-2026-30836) CVE-2026-30836 github.com/smallstep/certificates: Step CA: Unauthenticated certificate issuance via SCEP Update Request

Bug 2449211 (CVE-2026-30836) - CVE-2026-30836 github.com/smallstep/certificates: Step CA: Unauthenticated certificate issuance via SCEP Update Request

Summary: CVE-2026-30836 github.com/smallstep/certificates: Step CA: Unauthenticated ce...

Keywords:
Status:	NEW
Alias:	CVE-2026-30836
Product:	Security Response
Classification:	Other
Component:	vulnerability
Sub Component:
Version:	unspecified
Hardware:	All
OS:	Linux
Priority:	urgent
Severity:	urgent
Target Milestone:	---
Assignee:	Product Security DevOps Team
QA Contact:
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2026-03-19 21:02 UTC by OSIDB Bzimport
Modified:	2026-03-20 21:17 UTC (History)
CC List:	31 users (show)
Fixed In Version:
Clone Of:
Environment:
Last Closed:
Embargoed:

Attachments	(Terms of Use)

Description OSIDB Bzimport 2026-03-19 21:02:57 UTC

Step CA is an online certificate authority for secure, automated certificate management for DevOps. Versions 0.30.0-rc6 and below do not safeguard against unauthenticated certificate issuance through the SCEP UpdateReq. This issue has been fixed in version 0.30.0.

Note You need to log in before you can comment on or make changes to this bug.

abuckta
adudiak
aprice
bdettelb
caswilli
cmah
crizzo
dkuc
doconnor
gtanzill
jbuscemi
jdobes
jmitchel
jsamir
jsherril
jvasik
kaycoth
kgaikwad
kshier
mstipich
oezr
orabin
pbohmill
rblanco
rexwhite
rochandr
stcannon
sthirugn
teagle
vmugicag
yguenane