Severity by source
Sources disagree (Low–Critical)AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:N
AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:N
vuln.today treats the vendor’s rating as authoritative. A higher third-party CVSS (e.g. CISA-ADP) is shown for transparency but does not drive the headline severity.
CVSS VectorGitHub Advisory
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:N
Lifecycle Timeline
6DescriptionGitHub Advisory
⚠️ Limited Disclosure - Full Details Pending
A critical security vulnerability has been identified in Step CA. An updated version, v0.30.0, is available and all operators are strongly encouraged to upgrade immediately.
Full details of this vulnerability will be published in this security advisory on March 30, 2026. If you have urgent questions in the meantime, please contact [security@smallstep.com](mailto:security@smallstep.com).
AnalysisAI
Authentication bypass in Smallstep Step CA (GitHub certificates package) allows remote unauthenticated attackers to completely circumvent authentication controls and gain high-level unauthorized access to certificate authority operations. Affects all versions before 0.30.0. Vendor has released patch version 0.30.0 with full vulnerability details embargoed until March 30, 2026. Despite maximum CVSS 10.0 severity, current EPSS score of 0.01% suggests no widespread exploitation activity detected, though limited public disclosure may suppress scanning/exploitation until full details release.
Technical ContextAI
Step CA (Smallstep Certificates) is a private certificate authority (CA) and ACME server implementation written in Go, used for managing X.509 certificates and SSH certificates in zero-trust environments. The vulnerability is rooted in CWE-287 (Improper Authentication), indicating a fundamental flaw in how the CA validates identity or credentials before issuing certificates or granting access to CA operations. The affected component is the github.com/smallstep/certificates Go package. The CVSS scope change (S:C) suggests the vulnerability allows attackers to break out of the CA's security boundary and impact dependent systems that trust certificates issued by the compromised CA. GitHub commit e6da031d5125cfd99fe9a26f74bb41e4dacca4ef contains the fix, initially released in v0.30.0-rc7 release candidate before final v0.30.0 production release.
RemediationAI
Immediately upgrade to Smallstep Certificates version 0.30.0 or later, available at https://github.com/smallstep/certificates/releases/tag/v0.30.0-rc7 (release candidate) with final production release at v0.30.0. The fix is implemented in Git commit e6da031d5125cfd99fe9a26f74bb41e4dacca4ef. Organizations unable to patch immediately should implement the following compensating controls with noted trade-offs: restrict network access to Step CA endpoints to only trusted IP ranges or VPN-connected clients using firewall rules (reduces attack surface but does not prevent exploitation by attackers who gain access to trusted networks); implement additional network-layer authentication such as mutual TLS for all CA API connections (adds defense-in-depth but requires client certificate distribution and may break automated certificate renewal workflows); enable comprehensive audit logging and monitor for unexpected certificate issuance patterns or authentication attempts (provides detection capability but does not prevent initial compromise); consider temporarily taking Step CA offline for non-essential certificate operations until patching is complete (eliminates exposure but disrupts certificate lifecycle management). Note that due to embargoed disclosure, specific vulnerable code paths are unknown, making targeted workarounds impossible to recommend. Consult vendor advisory at https://github.com/smallstep/certificates/security/advisories/GHSA-q4r8-xm5f-56gw or contact security@smallstep.com for urgent guidance.
Same weakness CWE-287 – Improper Authentication
View allSame technique Authentication Bypass
View allVendor StatusVendor
SUSE
Severity: Low| Product | Status |
|---|---|
| openSUSE Leap 15.6 | Fixed |
| SUSE Linux Enterprise Module for Package Hub 15 SP5 | Fixed |
| SUSE Linux Enterprise Module for Package Hub 15 SP6 | Fixed |
| openSUSE Leap 15.5 | Fixed |
Share
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-13200
GHSA-q4r8-xm5f-56gw