Skip to main content

Step CA CVE-2026-30836

| EUVDEUVD-2026-13200 CRITICAL
Improper Authentication (CWE-287)
2026-03-19 https://github.com/smallstep/certificates GHSA-q4r8-xm5f-56gw
Critical
Disputed · 10.0 NVD
Share

Severity by source

Sources disagree (Low–Critical)
GitHub Advisory PRIMARY
10.0 CRITICAL
AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:N
SUSE
3.1 LOW
AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:N
Red Hat
10.0 CRITICAL
qualitative

vuln.today treats the vendor’s rating as authoritative. A higher third-party CVSS (e.g. CISA-ADP) is shown for transparency but does not drive the headline severity.

CVSS VectorGitHub Advisory

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Changed
Confidentiality
High
Integrity
High
Availability
None

Lifecycle Timeline

6
Analysis Updated
Apr 27, 2026 - 13:57 vuln.today
v2 (cvss_changed)
Re-analysis Queued
Apr 27, 2026 - 13:52 vuln.today
cvss_changed
Patch released
Mar 31, 2026 - 21:13 nvd
Patch available
EUVD ID Assigned
Mar 19, 2026 - 17:00 euvd
EUVD-2026-13200
Analysis Generated
Mar 19, 2026 - 17:00 vuln.today
CVE Published
Mar 19, 2026 - 16:27 nvd
CRITICAL 10.0

DescriptionGitHub Advisory

⚠️ Limited Disclosure - Full Details Pending

A critical security vulnerability has been identified in Step CA. An updated version, v0.30.0, is available and all operators are strongly encouraged to upgrade immediately.

Full details of this vulnerability will be published in this security advisory on March 30, 2026. If you have urgent questions in the meantime, please contact [security@smallstep.com](mailto:security@smallstep.com).

AnalysisAI

Authentication bypass in Smallstep Step CA (GitHub certificates package) allows remote unauthenticated attackers to completely circumvent authentication controls and gain high-level unauthorized access to certificate authority operations. Affects all versions before 0.30.0. Vendor has released patch version 0.30.0 with full vulnerability details embargoed until March 30, 2026. Despite maximum CVSS 10.0 severity, current EPSS score of 0.01% suggests no widespread exploitation activity detected, though limited public disclosure may suppress scanning/exploitation until full details release.

Technical ContextAI

Step CA (Smallstep Certificates) is a private certificate authority (CA) and ACME server implementation written in Go, used for managing X.509 certificates and SSH certificates in zero-trust environments. The vulnerability is rooted in CWE-287 (Improper Authentication), indicating a fundamental flaw in how the CA validates identity or credentials before issuing certificates or granting access to CA operations. The affected component is the github.com/smallstep/certificates Go package. The CVSS scope change (S:C) suggests the vulnerability allows attackers to break out of the CA's security boundary and impact dependent systems that trust certificates issued by the compromised CA. GitHub commit e6da031d5125cfd99fe9a26f74bb41e4dacca4ef contains the fix, initially released in v0.30.0-rc7 release candidate before final v0.30.0 production release.

RemediationAI

Immediately upgrade to Smallstep Certificates version 0.30.0 or later, available at https://github.com/smallstep/certificates/releases/tag/v0.30.0-rc7 (release candidate) with final production release at v0.30.0. The fix is implemented in Git commit e6da031d5125cfd99fe9a26f74bb41e4dacca4ef. Organizations unable to patch immediately should implement the following compensating controls with noted trade-offs: restrict network access to Step CA endpoints to only trusted IP ranges or VPN-connected clients using firewall rules (reduces attack surface but does not prevent exploitation by attackers who gain access to trusted networks); implement additional network-layer authentication such as mutual TLS for all CA API connections (adds defense-in-depth but requires client certificate distribution and may break automated certificate renewal workflows); enable comprehensive audit logging and monitor for unexpected certificate issuance patterns or authentication attempts (provides detection capability but does not prevent initial compromise); consider temporarily taking Step CA offline for non-essential certificate operations until patching is complete (eliminates exposure but disrupts certificate lifecycle management). Note that due to embargoed disclosure, specific vulnerable code paths are unknown, making targeted workarounds impossible to recommend. Consult vendor advisory at https://github.com/smallstep/certificates/security/advisories/GHSA-q4r8-xm5f-56gw or contact security@smallstep.com for urgent guidance.

Vendor StatusVendor

SUSE

Severity: Low
Product Status
openSUSE Leap 15.6 Fixed
SUSE Linux Enterprise Module for Package Hub 15 SP5 Fixed
SUSE Linux Enterprise Module for Package Hub 15 SP6 Fixed
openSUSE Leap 15.5 Fixed

Share

CVE-2026-30836 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy