Permalink
CVE-2026-30836
10.0 CRITICAL
- CVSS version: 3.1
- Attack vector (AV): NETWORK
- Attack complexity (AC): LOW
- Privileges required (PR): NONE
- User interaction (UI): NONE
- Scope (S): CHANGED
- Confidentiality impact (C): HIGH
- Integrity impact (I): HIGH
- Availability impact (A): NONE
Step CA: Unauthenticated Certificate Issuance via SCEP UpdateReq (MessageType=18)
Step CA is an online certificate authority for secure, automated certificate management for DevOps. Versions 0.30.0-rc6 and below do not safeguard against unauthenticated certificate issuance through the SCEP UpdateReq. This issue has been fixed in version 0.30.0.
References
Affected products
certificates
- ==< 0.30.0
Matching in nixpkgs
pkgs.python312Packages.azure-keyvault-certificates
Microsoft Azure Key Vault Certificates Client Library for Python
pkgs.python313Packages.azure-keyvault-certificates
Microsoft Azure Key Vault Certificates Client Library for Python
pkgs.python314Packages.azure-keyvault-certificates
Microsoft Azure Key Vault Certificates Client Library for Python
pkgs.azure-sdk-for-cpp.security-keyvault-certificates
Azure Key Vault Certificates client library for C++
-
nixos-unstable 4.3.0-beta.4
- nixpkgs-unstable 4.3.0-beta.4
- nixos-unstable-small 4.3.0-beta.4
Package maintainers
-
@tobim Tobias Mayer <nix@tobim.fastmail.fm>