Platform
go
Component
github.com/smallstep/certificates
Fixed in
0.30.1
0.30.0
CVE-2026-30836 describes a critical authorization bypass vulnerability in Smallstep Certificates, specifically within the SCEP (Simple Certificate Enrollment Protocol) provisioner. An attacker can exploit this flaw to create certificates without proper authorization checks being performed, potentially leading to the issuance of certificates for malicious purposes. This vulnerability affects versions prior to 0.30.0, and a patch has been released to address the issue.
The impact of this vulnerability is severe. An attacker who successfully exploits CVE-2026-30836 can generate certificates without authorization, effectively impersonating legitimate entities or gaining access to resources protected by those certificates. This could lead to widespread compromise, including data breaches, privilege escalation, and the deployment of malicious infrastructure. The ability to bypass authorization checks fundamentally undermines the trust model of the certificate authority, allowing attackers to operate with a high degree of anonymity and potentially evade detection. The blast radius extends to any system or service relying on certificates issued by the vulnerable Smallstep CA.
CVE-2026-30836 was publicly disclosed on 2026-03-19. The vulnerability's severity is high due to the potential for unauthorized certificate issuance. No public proof-of-concept (PoC) code has been released as of this writing, but the ease of exploitation described in the advisory suggests a high probability of exploitation if a PoC is developed. It is not currently listed on the CISA KEV catalog.
Exploit Status
EPSS
0.01% (1% percentile)
CISA SSVC
CVSS Vector
The primary mitigation for CVE-2026-30836 is to immediately upgrade to Smallstep Certificates version 0.30.0 or later. If an immediate upgrade is not feasible due to compatibility concerns or system downtime requirements, consider implementing stricter SCEP request validation rules at the network level to filter out potentially malicious requests. While not a complete solution, this can provide a temporary layer of defense. Monitor SCEP request logs for unusual patterns or unexpected certificate requests. After upgrading, confirm the fix by attempting a SCEP request with invalid credentials to ensure authorization checks are properly enforced.
Update Step CA to version 0.30.0 or higher. This version fixes the vulnerability that allows unauthenticated certificate issuance via SCEP UpdateReq.
Vulnerability analysis and critical alerts directly to your inbox.
CVE-2026-30836 is a critical vulnerability in Smallstep Certificates that allows attackers to bypass authorization checks during SCEP certificate provisioning, potentially leading to unauthorized certificate issuance.
If you are using Smallstep Certificates versions prior to 0.30.0 and utilize the SCEP provisioner, you are potentially affected by this vulnerability.
Upgrade to Smallstep Certificates version 0.30.0 or later to mitigate this vulnerability. Consider implementing stricter SCEP request validation as a temporary measure.
While no public exploits are currently known, the ease of exploitation suggests a high probability of exploitation if a PoC is developed.
Refer to the official Smallstep security advisory for detailed information and updates: [https://smallstep.com/security/advisories/CVE-2026-30836](https://smallstep.com/security/advisories/CVE-2026-30836)
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.
Upload your go.mod file and we'll tell you instantly if you're affected.