CVE-2026-24058

CVSS v3 9.8 CRITICAL

9.8^/10

CVSS v3 : CRITICAL

Vector :

Exploitability : 3.9 / Impact : 5.9

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required NONE

User Interaction NONE

Confidentiality Impact HIGH

Integrity Impact HIGH

Availability Impact HIGH

Scope UNCHANGED

S

oft Serve is a self-hostable Git server for the command line. Versions 0.11.2 and below have a critical authentication bypass vulnerability that allows an attacker to impersonate any user (including admin) by "offering" the victim's public key during the SSH handshake before authenticating with their own valid key. This occurs because the user identity is stored in the session context during the "offer" phase and is not cleared if that specific authentication attempt fails. This issue has been fixed in version 0.11.3.

References

Link	Resource
https://github.com/charmbracelet/soft-serve/commit/8539f9ad39918b67d612a35785a2b4326efc8741	Patch
https://github.com/charmbracelet/soft-serve/releases/tag/v0.11.3	Product Release Notes
https://github.com/charmbracelet/soft-serve/security/advisories/GHSA-pchf-49fh-w34r	Vendor Advisory

Configurations

Configuration 1 (hide)

cpe:2.3:a:charm:soft_serve:*:*:*:*:*:go:*:*

History

18 Feb 2026, 14:49

Type	Values Removed	Values Added
CPE		cpe:2.3:a:charm:soft_serve::::::go::*
References	~~() https://github.com/charmbracelet/soft-serve/commit/8539f9ad39918b67d612a35785a2b4326efc8741 -~~	() https://github.com/charmbracelet/soft-serve/commit/8539f9ad39918b67d612a35785a2b4326efc8741 - Patch
References	~~() https://github.com/charmbracelet/soft-serve/releases/tag/v0.11.3 -~~	() https://github.com/charmbracelet/soft-serve/releases/tag/v0.11.3 - Product, Release Notes
References	~~() https://github.com/charmbracelet/soft-serve/security/advisories/GHSA-pchf-49fh-w34r -~~	() https://github.com/charmbracelet/soft-serve/security/advisories/GHSA-pchf-49fh-w34r - Vendor Advisory
CVSS	v2 : ~~unknown~~ v3 : ~~unknown~~	v2 : unknown v3 : 9.8
First Time		Charm soft Serve Charm

22 Jan 2026, 22:16

Type	Values Removed	Values Added
New CVE

Information

Published : 2026-01-22 22:16

Updated : 2026-02-18 14:49

NVD link : CVE-2026-24058

Mitre link : CVE-2026-24058

CVE.ORG link : CVE-2026-24058

JSON object : View

Products Affected

soft_serve

CWE

CWE-289

Authentication Bypass by Alternate Name

{"id": "CVE-2026-24058", "cveTags": [], "metrics": {"cvssMetricV31": [{"type": "Primary", "source": "[email protected]", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 9.8, "attackVector": "NETWORK", "baseSeverity": "CRITICAL", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}, "impactScore": 5.9, "exploitabilityScore": 3.9}], "cvssMetricV40": [{"type": "Secondary", "source": "[email protected]", "cvssData": {"Safety": "NOT_DEFINED", "version": "4.0", "Recovery": "NOT_DEFINED", "baseScore": 8.1, "Automatable": "NOT_DEFINED", "attackVector": "NETWORK", "baseSeverity": "HIGH", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "exploitMaturity": "UNREPORTED", "providerUrgency": "NOT_DEFINED", "userInteraction": "NONE", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "NONE", "subIntegrityImpact": "NONE", "vulnIntegrityImpact": "HIGH", "integrityRequirement": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "subAvailabilityImpact": "NONE", "vulnAvailabilityImpact": "HIGH", "availabilityRequirement": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "subConfidentialityImpact": "NONE", "vulnConfidentialityImpact": "HIGH", "confidentialityRequirement": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "vulnerabilityResponseEffort": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED"}}]}, "published": "2026-01-22T22:16:21.387", "references": [{"url": "https://github.com/charmbracelet/soft-serve/commit/8539f9ad39918b67d612a35785a2b4326efc8741", "tags": ["Patch"], "source": "[email protected]"}, {"url": "https://github.com/charmbracelet/soft-serve/releases/tag/v0.11.3", "tags": ["Product", "Release Notes"], "source": "[email protected]"}, {"url": "https://github.com/charmbracelet/soft-serve/security/advisories/GHSA-pchf-49fh-w34r", "tags": ["Vendor Advisory"], "source": "[email protected]"}], "vulnStatus": "Analyzed", "weaknesses": [{"type": "Primary", "source": "[email protected]", "description": [{"lang": "en", "value": "CWE-289"}]}], "descriptions": [{"lang": "en", "value": "Soft Serve is a self-hostable Git server for the command line. Versions 0.11.2 and below have a critical authentication bypass vulnerability that allows an attacker to impersonate any user (including admin) by \"offering\" the victim's public key during the SSH handshake before authenticating with their own valid key. This occurs because the user identity is stored in the session context during the \"offer\" phase and is not cleared if that specific authentication attempt fails. This issue has been fixed in version 0.11.3."}], "lastModified": "2026-02-18T14:49:33.343", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:charm:soft_serve:*:*:*:*:*:go:*:*", "vulnerable": true, "matchCriteriaId": "EE609E86-02D8-4580-9122-048301D83CFB", "versionEndExcluding": "0.11.3"}], "operator": "OR"}]}], "sourceIdentifier": "[email protected]"}