CVE-2026-30836: step-ca has Unauthenticated Certificate Issuance via SCEP UpdateReq (MessageType=18)
⚠️ Limited Disclosure — Full Details Pending
A critical security vulnerability has been identified in Step CA. An updated version, v0.30.0, is available and all operators are strongly encouraged to upgrade immediately.
Full details of this vulnerability will be published in this security advisory on March 30, 2026. If you have urgent questions in the meantime, please contact security@smallstep.com.
References
Code Behaviors & Features
Detect and mitigate CVE-2026-30836 with GitLab Dependency Scanning
Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →