diff --git a/changes/43319-fix-scep-pkiop-url-query-plus-sign b/changes/43319-fix-scep-pkiop-url-query-plus-sign
new file mode 100644
index 00000000000..57c64397888
--- /dev/null
+++ b/changes/43319-fix-scep-pkiop-url-query-plus-sign
@@ -0,0 +1 @@
+- Fixed SCEP PKIOperation handler incorrectly decoding base64 `+` characters as spaces.
diff --git a/server/mdm/scep/server/transport.go b/server/mdm/scep/server/transport.go
index ba40a32bba7..9718c36a6e4 100644
--- a/server/mdm/scep/server/transport.go
+++ b/server/mdm/scep/server/transport.go
@@ -9,7 +9,7 @@ import (
 	"io"
 	"log/slog"
 	"net/http"
-	"net/url"
+	"strings"
 
 	"github.com/fleetdm/fleet/v4/server/mdm/scep/kitlogadapter"
 	"github.com/go-kit/kit/transport"
@@ -179,14 +179,10 @@ func message(r *http.Request) ([]byte, error) {
 				return nil, &BadRequestError{Message: "missing PKIOperation message"}
 			}
 
-			msg2, err := url.PathUnescape(msg)
+			msg = strings.ReplaceAll(msg, " ", "+")
+			decoded, err := base64.StdEncoding.DecodeString(msg)
 			if err != nil {
-				return nil, &BadRequestError{Message: fmt.Sprintf("invalid PKIOperation message: %s", msg)}
-			}
-
-			decoded, err := base64.StdEncoding.DecodeString(msg2)
-			if err != nil {
-				return nil, &BadRequestError{Message: fmt.Sprintf("failed to base64 decode message: %s: %s", err.Error(), msg2)}
+				return nil, &BadRequestError{Message: fmt.Sprintf("failed to base64 decode message: %s: %s", err.Error(), msg)}
 			}
 
 			return decoded, nil