fleetdm · sergey-cheperis · Apr 9, 2026 · Apr 9, 2026 · Apr 9, 2026 · Apr 9, 2026
diff --git a/changes/43319-fix-scep-pkiop-url-query-plus-sign b/changes/43319-fix-scep-pkiop-url-query-plus-sign
@@ -0,0 +1 @@
+- Fixed SCEP PKIOperation handler incorrectly decoding base64 `+` characters as spaces.
@@ -10,6 +10,7 @@ import (
 	"log/slog"
 	"net/http"
 	"net/url"
+	"strings"
 
 	"github.com/fleetdm/fleet/v4/server/mdm/scep/kitlogadapter"
 	"github.com/go-kit/kit/transport"
@@ -184,6 +185,7 @@ func message(r *http.Request) ([]byte, error) {
 				return nil, &BadRequestError{Message: fmt.Sprintf("invalid PKIOperation message: %s", msg)}
 			}
 
+			msg2 = strings.ReplaceAll(msg2, " ", "+")
 			decoded, err := base64.StdEncoding.DecodeString(msg2)
 			if err != nil {
 				return nil, &BadRequestError{Message: fmt.Sprintf("failed to base64 decode message: %s: %s", err.Error(), msg2)}
Original file line number	Diff line number	Diff line change
		@@ -0,0 +1 @@
		- Fixed SCEP PKIOperation handler incorrectly decoding base64 `+` characters as spaces.