GHSA-Q4R8-XM5F-56GW
Vulnerability from github – Published: 2026-03-19 16:27 – Updated: 2026-04-08 11:57Summary
An attacker can force a Step CA SCEP provisioner to create certificates without completing certain protocol authorization checks.
Details
SCEP requests carry a message type. On receipt of a SCEP request, Step CA starts processing it by parsing its contents. Message types that were considered valid, but not explicitly supported in Step CA, would result in getting parsed successfully. While processing the parsed SCEP message, authorization logic would be skipped for the non-supported message types.
As a result, the request would be treated as authorized, bypassing the authorization checks normally enforced as part of the SCEP protocol and its implementation in Step CA.
Authorization webhooks and regular CA policies, such as allowed names and restrictions on certificate validity periods, remain in place.
Mitigations
If you are unable to upgrade to v0.30.0 or newer, the attack can be mitigated by (temporarily) disabling or removing SCEP provisioners, or restricting access to SCEP provisioners to trusted clients only.
Fix
In v0.30.0, additional validation was added to SCEP provisioners, so that they reject unsupported message types.
Acknowledgements
This issue was identified and reported by Prasanth Sundararajan.
Embargo List
If your organization runs Step CA in production and would like advance, embargoed notification of future security updates, visit https://u.step.sm/disclosure to request inclusion on our embargo list.
Stay safe, and thank you for helping us keep the ecosystem secure.
If you have urgent questions, please contact security@smallstep.com.
{
"affected": [
{
"package": {
"ecosystem": "Go",
"name": "github.com/smallstep/certificates"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "0.30.0"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2026-30836"
],
"database_specific": {
"cwe_ids": [
"CWE-287",
"CWE-295"
],
"github_reviewed": true,
"github_reviewed_at": "2026-03-19T16:27:53Z",
"nvd_published_at": "2026-03-19T21:17:09Z",
"severity": "CRITICAL"
},
"details": "## Summary\n\nAn attacker can force a Step CA SCEP provisioner to create certificates without completing certain protocol authorization checks.\n\n## Details\n\nSCEP requests carry a message type. On receipt of a SCEP request, Step CA starts processing it by parsing its contents. Message types that were considered valid, but not explicitly supported in Step CA, would result in getting parsed successfully. While processing the parsed SCEP message, authorization logic would be skipped for the non-supported message types.\n\nAs a result, the request would be treated as authorized, bypassing the authorization checks normally enforced as part of the SCEP protocol and its implementation in Step CA.\n\nAuthorization webhooks and regular CA policies, such as allowed names and restrictions on certificate validity periods, remain in place.\n\n## Mitigations\n\nIf you are unable to upgrade to v0.30.0 or newer, the attack can be mitigated by (temporarily) disabling or removing SCEP provisioners, or restricting access to SCEP provisioners to trusted clients only.\n\n## Fix\n\nIn v0.30.0, additional validation was added to SCEP provisioners, so that they reject unsupported message types.\n\n## Acknowledgements\n\nThis issue was identified and reported by Prasanth Sundararajan.\n\n## Embargo List\n\nIf your organization runs Step CA in production and would like advance, embargoed notification of future security updates, visit https://u.step.sm/disclosure to request inclusion on our embargo list.\n\nStay safe, and thank you for helping us keep the ecosystem secure.\n\nIf you have urgent questions, please contact [security@smallstep.com](mailto:security@smallstep.com).",
"id": "GHSA-q4r8-xm5f-56gw",
"modified": "2026-04-08T11:57:49Z",
"published": "2026-03-19T16:27:53Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/smallstep/certificates/security/advisories/GHSA-q4r8-xm5f-56gw"
},
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-30836"
},
{
"type": "WEB",
"url": "https://github.com/smallstep/certificates/commit/e6da031d5125cfd99fe9a26f74bb41e4dacca4ef"
},
{
"type": "PACKAGE",
"url": "https://github.com/smallstep/certificates"
},
{
"type": "WEB",
"url": "https://github.com/smallstep/certificates/releases/tag/v0.30.0-rc7"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:N",
"type": "CVSS_V3"
}
],
"summary": "step-ca has Unauthenticated Certificate Issuance via SCEP UpdateReq (MessageType=18)"
}
Sightings
| Author | Source | Type | Date | Other |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or observed by the user.
- Confirmed: The vulnerability has been validated from an analyst's perspective.
- Published Proof of Concept: A public proof of concept is available for this vulnerability.
- Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
- Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
- Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
- Not confirmed: The user expressed doubt about the validity of the vulnerability.
- Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.