⚠️ Limited Disclosure — Full Details Pending A critical security vulnerability has been identified in Step CA. An updated version, v0.30.0, is available and all operators are strongly encouraged to upgrade immediately. Full details of this vulnerability will be published in this security advisory on March 30, 2026. If you have urgent questions in the meantime, please contact security@smallstep.com.
An authorized attacker can bypass authorization checks and revoke any SSH certificate issued by Step CA by using a valid revocation token.
A security fix is now available for Step CA that resolves a vulnerability affecting deployments configured with ACME and/or SCEP provisioners. All operators running these provisioners should upgrade to the latest release (v0.29.0) immediately. The issue was discovered and disclosed by a research team during a security review. There is no evidence of active exploitation. To limit exploitation risk during a coordinated disclosure window, we are withholding detailed technical information …