Description
Soft Serve is a self-hostable Git server for the command line. Versions 0.11.2 and below have a critical authentication bypass vulnerability that allows an attacker to impersonate any user (including admin) by "offering" the victim's public key during the SSH handshake before authenticating with their own valid key. This occurs because the user identity is stored in the session context during the "offer" phase and is not cleared if that specific authentication attempt fails. This issue has been fixed in version 0.11.3.
Published: 2026-01-22
Score: 8.1 High
EPSS: < 1% Very Low
KEV: No
Impact: Authentication Bypass
Action: Patch
AI Analysis

Impact

The vulnerability is a critical authentication bypass that allows an attacker to impersonate any user, including the administrator, by offering the victim’s public key during the SSH handshake before authenticating with their own valid key. This flaw arises because the user identity is stored in the session context during the offer phase and is not cleared if that particular authentication attempt fails. As a result, an unauthenticated attacker can exploit the session to perform actions as the targeted user, potentially compromising all privileged operations and data within the server.

Affected Systems

Charmbracelet Soft Serve versions 0.11.2 and earlier are affected. The product is the self‑hostable Git server for the command line, running on any system where Soft Serve 0.11.2 or older is installed. The fix was released in version 0.11.3 and applies to all supported platforms, including containers and binary packages.

Risk and Exploitability

The CVSS score of 8.1 indicates high severity, but the EPSS score of less than 1% suggests exploitation is currently unlikely under typical circumstances. The vulnerability is not listed in the CISA KEV catalog, further implying limited reported use. Attackers would need network access to the Soft Serve instance’s SSH port and the ability to initiate an SSH connection. Once they provide the victim’s public key, the server will associate the session with that identity despite the failed authentication attempt, enabling unauthorized operations until the session is terminated.

Generated by OpenCVE AI on April 18, 2026 at 03:34 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the Soft Serve server to version 0.11.3 or later to remove the authentication bypass flaw.
  • Re‑validate that no older instances or containers of Soft Serve remain in the deployment environment and that the upgraded binary is in use.
  • If a full upgrade cannot be performed immediately, restrict external SSH access to the server and monitor login attempts for anomalous key offers to detect potential exploitation attempts.

Generated by OpenCVE AI on April 18, 2026 at 03:34 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-pchf-49fh-w34r Soft Serve Affected by an Authentication Bypass
History

Wed, 18 Feb 2026 15:00:00 +0000

Type Values Removed Values Added
First Time appeared Charm
Charm soft Serve
CPEs cpe:2.3:a:charm:soft_serve:*:*:*:*:*:go:*:*
Vendors & Products Charm
Charm soft Serve
Metrics cvssV3_1

{'score': 9.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H'}

Fri, 23 Jan 2026 21:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Fri, 23 Jan 2026 16:45:00 +0000

Type Values Removed Values Added
First Time appeared Charmbracelet
Charmbracelet soft-serve
Vendors & Products Charmbracelet
Charmbracelet soft-serve

Thu, 22 Jan 2026 23:00:00 +0000

Type Values Removed Values Added
Description Soft Serve is a self-hostable Git server for the command line. Versions 0.11.2 and below have a critical authentication bypass vulnerability that allows an attacker to impersonate any user (including admin) by "offering" the victim's public key during the SSH handshake before authenticating with their own valid key. This occurs because the user identity is stored in the session context during the "offer" phase and is not cleared if that specific authentication attempt fails. This issue has been fixed in version 0.11.3.
Title Soft Serve has Critical Authentication Bypass
Weaknesses CWE-289
References
Metrics cvssV4_0

{'score': 8.1, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U'}

Subscriptions

Charm Soft Serve
Charmbracelet Soft-serve
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-01-23T20:14:08.759Z

Reserved: 2026-01-20T22:30:11.779Z

Link: CVE-2026-24058

cve-icon Vulnrichment

Updated: 2026-01-23T20:14:04.769Z

cve-icon NVD

Status : Analyzed

Published: 2026-01-22T22:16:21.387

Modified: 2026-02-18T14:49:33.343

Link: CVE-2026-24058

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-18T03:45:21Z

Weaknesses