Description
Soft Serve is a self-hostable Git server for the command line. From version 0.6.0 to before version 0.11.6, an authorization flaw in repo import allows any authenticated SSH user to clone a server-local Git repository, including another user's private repo, into a new repository they control. This issue has been patched in version 0.11.6.
Published: 2026-03-24
Score: 7.1 High
EPSS: < 1% Very Low
KEV: No
Impact: Unauthorized access to private repositories
Action: Immediate Patch
AI Analysis

Impact

The vulnerability in Soft Serve enables any authenticated SSH user to execute a repository import that clones a server‑local Git repository into a new repository they create. Because the import process does not enforce ownership checks, a user can clone another user's private repository, resulting in a confidentiality breach. This flaw corresponds to the confidentiality weakness (CWE-200) and the unauthorized credential validation weakness (CWE-862).

Affected Systems

Charmbracelet’s Soft Serve, a self‑hostable Git server, is affected from version 0.6.0 up to but not including 0.11.6. The issue was fixed in release 0.11.6; users of any version before that are at risk.

Risk and Exploitability

The CVSS base score of 7.1 classifies the vulnerability as high severity. The EPSS value is reported as less than 1%, indicating that, at the time of this analysis, exploitation is unlikely to be widespread, and it is not listed in the CISA KEV catalog. Exposing private repositories can be achieved simply by a user who has SSH credentials and invokes the import command. Based on the description, the attack vector is the import feature; the risk is enhanced in environments where many users possess SSH access, and the potential confidentiality impact follows from the clone operation.

Generated by OpenCVE AI on March 26, 2026 at 04:02 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Soft Serve to version 0.11.6 or later

Generated by OpenCVE AI on March 26, 2026 at 04:02 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-xgxp-f695-6vrp In Soft Serve, an authenticated repo import can clone server-local private repositories
History

Wed, 25 Mar 2026 22:00:00 +0000

Type Values Removed Values Added
First Time appeared Charm
Charm soft Serve
CPEs cpe:2.3:a:charm:soft_serve:*:*:*:*:*:go:*:*
Vendors & Products Charm
Charm soft Serve
Metrics cvssV3_1

{'score': 6.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N'}

Wed, 25 Mar 2026 14:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Wed, 25 Mar 2026 12:00:00 +0000

Type Values Removed Values Added
First Time appeared Charmbracelet
Charmbracelet soft-serve
Vendors & Products Charmbracelet
Charmbracelet soft-serve

Tue, 24 Mar 2026 20:00:00 +0000

Type Values Removed Values Added
Description Soft Serve is a self-hostable Git server for the command line. From version 0.6.0 to before version 0.11.6, an authorization flaw in repo import allows any authenticated SSH user to clone a server-local Git repository, including another user's private repo, into a new repository they control. This issue has been patched in version 0.11.6.
Title Soft Serve: Authenticated repo import can clone server-local private repositories
Weaknesses CWE-200
CWE-862
References
Metrics cvssV4_0

{'score': 7.1, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N'}

Subscriptions

Charm Soft Serve
Charmbracelet Soft-serve
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-03-25T13:35:15.415Z

Reserved: 2026-03-18T22:15:11.814Z

Link: CVE-2026-33353

cve-icon Vulnrichment

Updated: 2026-03-25T13:35:04.720Z

cve-icon NVD

Status : Analyzed

Published: 2026-03-24T20:16:29.573

Modified: 2026-03-25T21:59:38.923

Link: CVE-2026-33353

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-03-26T12:18:52Z

Weaknesses