Remote Code Execution Vulnerability in Soft Serve Git Server
CVE-2026-30832

9.1CRITICAL

Key Information:

Vendor

Charmbracelet

Status
Soft-serve
Vendor
CVE Published:
7 March 2026

What is CVE-2026-30832?

Soft Serve, a self-hostable Git server, has a vulnerability that allows authenticated SSH users to manipulate the server into making unauthorized HTTP requests to internal IP addresses. By using a crafted --lfs-endpoint URL during the repository import process, an attacker can exploit this weakness. Although the initial request does not yield a valid response, an attacker who controls a malicious LFS server can leverage this flaw to gain full read access to internal services by providing download URLs targeting sensitive internal resources. This vulnerability has been addressed in Soft Serve version 0.11.4.

Affected Version(s)

soft-serve >= 0.6.0, < 0.11.4

References

https://github.com/charmbracelet/soft-serve/security/advi...
x_refsource_CONFIRM
https://github.com/charmbracelet/soft-serve/commit/3ef660...
x_refsource_MISC
https://github.com/charmbracelet/soft-serve/releases/tag/...
x_refsource_MISC

CVSS V3.1

Score:
9.1
Severity:
CRITICAL
Confidentiality:
High
Integrity:
Low
Availability:
High
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
Low
User Interaction:
None
Scope:
Changed

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.