CVE-2026-41889 vulnerabilities

Vulnerabilities for packages: telegraf, kine, wal-g, grafana-alloy-fips, vault, rke2-cloud-provider-fips, rke2-runtime-fips, peerdb-flow, rke2-runtime, keda, step-ca, cerbos, certificate-transparency, argo-workflows-fips, k3s, step-issuer, opentelemetry-collector-contrib-fips, step,...

SUSE CVE-2026-40097

Step CA is an online certificate authority for secure, automated certificate management for DevOps. From 0.24.0 to before 0.30.0-rc3, an attacker can trigger an index out-of-bounds panic in Step CA by sending a crafted attestation key AK certificate with an empty Extended Key Usage EKU extension...

GHSA-7MR4-XJXG-34G6 vulnerabilities

Vulnerabilities for packages: aws-flb-cloudwatch, memcached-exporter, terraform-provider-aws, gitaly, jitsucom-bulker, kserve-rest-proxy, kubernetes, swagger, docker-cli, polaris, flux, terraform-provider-pagerduty, vault-benchmark, vault-secrets-webhook, grafana-mimir, verticadb-operator,...

GHSA-9QQ8-CGCV-QMC9 Step CA affected by an index out of bounds panic in TPM attestation EKU validation

Summary An attacker can trigger an index out-of-bounds panic in Step CA by sending a crafted attestation key AK certificate with an empty Extended Key Usage EKU extension during TPM device attestation. Details When processing a device-attest-01 ACME challenge using TPM attestation, Step CA...

CVE-2026-40097

Step CA is an online certificate authority for secure, automated certificate management for DevOps. From 0.24.0 to before 0.30.0-rc3, an attacker can trigger an index out-of-bounds panic in Step CA by sending a crafted attestation key AK certificate with an empty Extended Key Usage EKU extension...

CVE-2026-40097

CVE-2026-40097 affects Step CA (online CA for secure, automated certificate management). From version 0.24.0 up to before 0.30.0-rc3, an attacker can trigger an index-out-of-bounds panic during TPM device attestation by sending a crafted attestation key certificate with an empty EKU extension. Sp...

PT-2026-31991

Name of the Vulnerable Software and Affected Versions Step CA versions 0.24.0 through 0.30.0-rc3 Description An attacker can trigger an index out-of-bounds panic in Step CA by sending a crafted attestation key AK certificate with an empty Extended Key Usage EKU extension during TPM device...

Smallstep step-ca 输入验证错误漏洞

Smallstep step-ca is an online certificate authority for DevOps security and automated certificate management provided by the Smallstep company in the United States. Versions of Smallstep step-ca prior to 0.30.0-rc3 contained a vulnerability related to input validation errors. This vulnerability...

CLEANSTART-2026-GM09342 Security fixes for CVE-2025-68121, CVE-2026-26958, ghsa-fw7p-63qq-7hpr, ghsa-mqqf-5wvp-8fh8 applied in versions: 0.29.0-r0, 0.29.0-r1

Multiple security vulnerabilities affect the step-ca-fips package. These issues are resolved in later releases. See references for individual vulnerability details...

Linux Distros Unpatched Vulnerability : CVE-2026-30836

The Linux/Unix host has one or more packages installed that are impacted by a vulnerability without a vendor supplied patch available. - Step CA is an online certificate authority for secure, automated certificate management for DevOps. Versions 0.30.0-rc6 and below do not safeguard against...

GO-2026-4775 step-ca has Unauthenticated Certificate Issuance via SCEP UpdateReq (MessageType=18) in github.com/smallstep/certificates

step-ca has Unauthenticated Certificate Issuance via SCEP UpdateReq MessageType=18 in github.com/smallstep/certificates...

SUSE CVE-2026-30836

Step CA is an online certificate authority for secure, automated certificate management for DevOps. Versions 0.30.0-rc6 and below do not safeguard against unauthenticated certificate issuance through the SCEP UpdateReq. This issue has been fixed in version 0.30.0...

CVE-2026-30836

Step CA is an online certificate authority for secure, automated certificate management for DevOps. Versions 0.30.0-rc6 and below do not safeguard against unauthenticated certificate issuance through the SCEP UpdateReq. This issue has been fixed in version 0.30.0...

CVE-2026-30836

Step CA is an online certificate authority for secure, automated certificate management for DevOps. Versions 0.30.0-rc6 and below do not safeguard against unauthenticated certificate issuance through the SCEP UpdateReq. This issue has been fixed in version 0.30.0...

CVE-2026-30836

CVE-2026-30836 affects step-ca (github.com/smallstep/certificates). The issue allows unauthenticated certificate issuance via SCEP UpdateReq (MessageType=18) due to inadequate protection in UpdateReq handling. Affected versions are 0.30.0-rc6 and below; the vulnerability is fixed in version 0.30....

CVE-2026-30836 Step CA: Unauthenticated Certificate Issuance via SCEP UpdateReq (MessageType=18)

Step CA is an online certificate authority for secure, automated certificate management for DevOps. Versions 0.30.0-rc6 and below do not safeguard against unauthenticated certificate issuance through the SCEP UpdateReq. This issue has been fixed in version 0.30.0...

CVE-2026-30836 Step CA: Unauthenticated Certificate Issuance via SCEP UpdateReq (MessageType=18)

Step CA is an online certificate authority for secure, automated certificate management for DevOps. Versions 0.30.0-rc6 and below do not safeguard against unauthenticated certificate issuance through the SCEP UpdateReq. This issue has been fixed in version 0.30.0...

EUVD-2026-13200

step-ca has Unauthenticated Certificate Issuance via SCEP UpdateReq MessageType=18...

step-ca has Unauthenticated Certificate Issuance via SCEP UpdateReq (MessageType=18)

Summary An attacker can force a Step CA SCEP provisioner to create certificates without completing certain protocol authorization checks. Details SCEP requests carry a message type. On receipt of a SCEP request, Step CA starts processing it by parsing its contents. Message types that were...

GHSA-Q4R8-XM5F-56GW step-ca has Unauthenticated Certificate Issuance via SCEP UpdateReq (MessageType=18)

Summary An attacker can force a Step CA SCEP provisioner to create certificates without completing certain protocol authorization checks. Details SCEP requests carry a message type. On receipt of a SCEP request, Step CA starts processing it by parsing its contents. Message types that were...