Browse all 4 CVE security advisories affecting smallstep. AI-powered Chinese analysis, POCs, and references for each vulnerability.
Smallstep provides certificate management and identity verification solutions for secure access control. Historically, the project has been vulnerable to remote code execution, cross-site scripting, and privilege escalation flaws, often stemming from improper input validation and insecure default configurations. While no major public security incidents have been documented, the presence of four CVEs indicates ongoing security challenges in their certificate authority and web interface components. The project's focus on cryptographic operations makes vulnerabilities particularly impactful, as they could compromise entire PKI infrastructures. Security researchers have noted that some issues stemmed from insufficient isolation between different certificate authorities within the same deployment.
| CVE ID | Title | CVSS | Severity | Published |
|---|---|---|---|---|
| CVE-2026-40097 | Step CA affected by an index out of bounds panic in TPM attestation EKU validation — certificatesCWE-129 | 3.7 | Low | 2026-04-10 |
| CVE-2026-30836 | Step CA: Unauthenticated Certificate Issuance via SCEP UpdateReq (MessageType=18) — certificatesCWE-287 | 10.0 | Critical | 2026-03-19 |
| CVE-2025-44005 | Smallstep step-ca 安全漏洞 — Step-CACWE-287 | 10.0 | Critical | 2025-12-17 |
| CVE-2025-66406 | Improper Authorization Check for SSH Certificate Revocation — certificatesCWE-863 | 5.0 | Medium | 2025-12-03 |
This page lists every published CVE security advisory associated with smallstep. Each entry links to a detailed page with CVSS scoring, CWE classification, affected products and references. AI-generated Chinese analysis is provided for fast triage.