Authentication Bypass Vulnerability in Soft Serve by Charmbracelet
CVE-2026-24058

8.1HIGH

Key Information:

Vendor

Charmbracelet

Status
Soft-serve
Vendor
CVE Published:
22 January 2026

What is CVE-2026-24058?

Soft Serve, a self-hostable Git server for command line usage, is affected by a significant authentication bypass issue in versions 0.11.2 and below. This vulnerability allows attackers to impersonate legitimate users, including administrators, by utilizing the victim's public key during the SSH handshake, bypassing authentication with their own valid key. This security flaw exists because the user's identity is maintained in the session context during the 'offer' phase and is not cleared if the authentication attempt fails. The issue has been resolved in version 0.11.3, and users are advised to upgrade to ensure system integrity.

Affected Version(s)

soft-serve < 0.11.3

References

https://github.com/charmbracelet/soft-serve/security/advi...
x_refsource_CONFIRM
https://github.com/charmbracelet/soft-serve/commit/8539f9...
x_refsource_MISC
https://github.com/charmbracelet/soft-serve/releases/tag/...
x_refsource_MISC

CVSS V4

Score:
8.1
Severity:
HIGH
Confidentiality:
High
Integrity:
High
Availability:
High
Attack Vector:
Network
Attack Complexity:
Low
Attack Required:
None
Privileges Required:
Undefined
User Interaction:
None

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.