Plataforma
go
Componente
github.com/smallstep/certificates
Corrigido em
0.30.1
0.30.0
CVE-2026-30836 describes a critical authorization bypass vulnerability in Smallstep Certificates, specifically within the SCEP (Simple Certificate Enrollment Protocol) provisioner. An attacker can exploit this flaw to create certificates without proper authorization checks being performed, potentially leading to the issuance of certificates for malicious purposes. This vulnerability affects versions prior to 0.30.0, and a patch has been released to address the issue.
The impact of this vulnerability is severe. An attacker who successfully exploits CVE-2026-30836 can generate certificates without authorization, effectively impersonating legitimate entities or gaining access to resources protected by those certificates. This could lead to widespread compromise, including data breaches, privilege escalation, and the deployment of malicious infrastructure. The ability to bypass authorization checks fundamentally undermines the trust model of the certificate authority, allowing attackers to operate with a high degree of anonymity and potentially evade detection. The blast radius extends to any system or service relying on certificates issued by the vulnerable Smallstep CA.
CVE-2026-30836 was publicly disclosed on 2026-03-19. The vulnerability's severity is high due to the potential for unauthorized certificate issuance. No public proof-of-concept (PoC) code has been released as of this writing, but the ease of exploitation described in the advisory suggests a high probability of exploitation if a PoC is developed. It is not currently listed on the CISA KEV catalog.
Organizations relying on Smallstep Certificates as their certificate authority, particularly those using SCEP for device enrollment or automated certificate provisioning, are at significant risk. This includes DevOps teams managing infrastructure-as-code, IoT device manufacturers using SCEP for device certificates, and organizations with legacy systems that rely on SCEP for authentication.
• linux / server: Monitor Smallstep Certificates logs for unusual SCEP requests or certificate issuance events. Use journalctl -u smallstep-ca to filter for relevant log messages.
journalctl -u smallstep-ca | grep -i "sccep request" | grep -i "authorization"• go / supply-chain: Examine Smallstep Certificates source code for instances of the vulnerable SCEP parsing logic. Look for areas where message type validation is insufficient. • generic web: If Smallstep Certificates is exposed via a web interface, monitor access logs for suspicious requests targeting the SCEP endpoint.
disclosure
Status do Exploit
EPSS
0.01% (percentil 1%)
CISA SSVC
Vetor CVSS
The primary mitigation for CVE-2026-30836 is to immediately upgrade to Smallstep Certificates version 0.30.0 or later. If an immediate upgrade is not feasible due to compatibility concerns or system downtime requirements, consider implementing stricter SCEP request validation rules at the network level to filter out potentially malicious requests. While not a complete solution, this can provide a temporary layer of defense. Monitor SCEP request logs for unusual patterns or unexpected certificate requests. After upgrading, confirm the fix by attempting a SCEP request with invalid credentials to ensure authorization checks are properly enforced.
Atualize Step CA para a versão 0.30.0 ou superior. Esta versão corrige a vulnerabilidade que permite a emissão de certificados não autenticados através de SCEP UpdateReq.
Análise de vulnerabilidades e alertas críticos diretamente no seu e-mail.
CVE-2026-30836 is a critical vulnerability in Smallstep Certificates that allows attackers to bypass authorization checks during SCEP certificate provisioning, potentially leading to unauthorized certificate issuance.
If you are using Smallstep Certificates versions prior to 0.30.0 and utilize the SCEP provisioner, you are potentially affected by this vulnerability.
Upgrade to Smallstep Certificates version 0.30.0 or later to mitigate this vulnerability. Consider implementing stricter SCEP request validation as a temporary measure.
While no public exploits are currently known, the ease of exploitation suggests a high probability of exploitation if a PoC is developed.
Refer to the official Smallstep security advisory for detailed information and updates: [https://smallstep.com/security/advisories/CVE-2026-30836](https://smallstep.com/security/advisories/CVE-2026-30836)
Envie seu arquivo de dependências e descubra na hora se esta e outras CVEs te atingem.
Envie seu arquivo go.mod e descubra na hora se você está afetado.