CVE-2026-22253 - Vulnerability Details

- Soft Serve is missing an authorization check in LFS lock deletion

Description

Soft Serve is a self-hostable Git server for the command line. Prior to version 0.11.2, an authorization bypass in the LFS lock deletion endpoint allows any authenticated user with repository write access to delete locks owned by other users by setting the force flag. The vulnerable code path processes force deletions before retrieving user context, bypassing ownership validation entirely. This issue has been patched in version 0.11.2.

Published: 2026-01-08

Score: 5.4 Medium

EPSS: < 1% Very Low

KEV: No

Impact:

Action:

Analysis

Impact

A flaw in Soft Serve’s LFS lock deletion endpoint permits any authenticated user with write access to a repository to delete locks belonging to other users by supplying the force flag. The code processes force deletions before verifying the user context, so ownership checks are bypassed entirely, enabling unauthorized removal of LFS locks without any additional privileges beyond repository write access.

Affected Systems

The vulnerability impacts the Soft Serve project maintained by charmbracelet. Versions prior to 0.11.2 are affected; the issue has been resolved in version 0.11.2 and later.

Risk and Exploitability

The CVSS score is 5.4, indicating moderate severity. The EPSS score is below 1%, suggesting a very low probability of exploitation at the time of analysis, and the vulnerability is not listed in the CISA KEV catalog. Attackers must first authenticate to the instance and possess repository write permissions, then request a force deletion of a lock. If those conditions are met, the attacker can delete any LFS lock owned by another user without any additional checks.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

charmbracelet

soft-serve

affected

Version	Status	Constraints
`< 0.11.2`	affected	—

Configuration 1 [-]

cpe:2.3:a:charm:soft_serve:*:*:*:*:*:go:*:*

No data.

Vendor	Product	Confidence	Versions
Charmbracelet	Soft-serve	—	—

Found an issue or want to improve our Enrichment? You can suggest it directly by opening an issue on our dedicated GitHub repository .

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

Upgrade to Soft Serve version 0.11.2 or later, which patch the bypass
Restrict repository write permissions to trusted users or collaborators only, limiting who can request lock deletions
Monitor LFS lock deletion activity and review logs for unauthorized use of the force flag

Generated by OpenCVE AI on April 18, 2026 at 07:32 UTC.

Tracking

Sign in to view the affected projects.

Advisories

Source	ID	Title
Github GHSA	GHSA-6jm8-x3g6-r33j	Soft Serve is missing an authorization check in LFS lock deletion

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required Low

Scope Unchanged

Confidentiality Impact None

Integrity Impact Low

Availability Impact Low

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

The EPSS score is 0.0002.

Exploitation poc

Automatable no

Technical Impact partial

References

Link	Providers
https://github.com/charmbracelet/soft-serve/commit/000ab5164f0be68cf1ea6b6e7227f11c0e388a42
https://github.com/charmbracelet/soft-serve/security/advisories/GHSA-6jm8-x3g6-r33j

History

Mon, 02 Feb 2026 17:15:00 +0000

Type	Values Removed	Values Added
First Time appeared		Charm Charm soft Serve
CPEs		cpe:2.3:a:charm:soft_serve::::::go::*
Vendors & Products		Charm Charm soft Serve

Fri, 09 Jan 2026 13:30:00 +0000

Type	Values Removed	Values Added
First Time appeared		Charmbracelet Charmbracelet soft-serve
Vendors & Products		Charmbracelet Charmbracelet soft-serve

Thu, 08 Jan 2026 19:15:00 +0000

Type	Values Removed	Values Added
Metrics		ssvc `{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}`

Thu, 08 Jan 2026 18:45:00 +0000

Type	Values Removed	Values Added
Description		Soft Serve is a self-hostable Git server for the command line. Prior to version 0.11.2, an authorization bypass in the LFS lock deletion endpoint allows any authenticated user with repository write access to delete locks owned by other users by setting the force flag. The vulnerable code path processes force deletions before retrieving user context, bypassing ownership validation entirely. This issue has been patched in version 0.11.2.
Title		Soft Serve is missing an authorization check in LFS lock deletion
Weaknesses		CWE-863
References		https://github.com/charmbracelet/soft-serve/commit/000ab5164f0be68cf1ea6b6e7227f11c0e388a42 https://github.com/charmbracelet/soft-serve/security/advisories/GHSA-6jm8-x3g6-r33j
Metrics		cvssV3_1 `{'score': 5.4, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:L'}`

Subscriptions

Charm Soft Serve

Charmbracelet Soft-serve

MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published: 2026-01-08T18:39:57.714Z

Updated: 2026-01-08T18:51:14.716Z

Reserved: 2026-01-07T05:19:12.921Z

Link: CVE-2026-22253

Vulnrichment

Updated: 2026-01-08T18:51:11.900Z

NVD

Status : Analyzed

Published: 2026-01-08T19:15:59.950

Modified: 2026-02-02T17:09:22.447

Link: CVE-2026-22253

Redhat

No data.

OpenCVE Enrichment

Updated: 2026-04-18T07:45:24Z

Weaknesses

CWE-863

Impact

Affected Systems

Risk and Exploitability

Tracking

Attack Vector Network

Attack Complexity Low

Privileges Required Low

Scope Unchanged

Confidentiality Impact None

Integrity Impact Low

Availability Impact Low

User Interaction None

Exploitation poc

Automatable no

Technical Impact partial

Subscriptions

JSON object

JSON object

JSON object

JSON object

JSON object