VDB

CVE-2026-22253

CVE-2026-22253 PUBLISHED CVSS 5.400000095367432 MEDIUM

Soft Serve is a self-hostable Git server for the command line. Prior to version 0.11.2, an authorization bypass in the LFS lock deletion endpoint allows any authenticated user with repository write access to delete locks owned by other users by setting the force flag. The vulnerable code path processes force deletions before retrieving user context, bypassing ownership validation entirely. This issue has been patched in version 0.11.2.

EPSS 0.02% · 6.8th percentile

Risk Scores

CVSS v3.1
5.400000095367432
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:L
EPSS Score
0.02%
6.8th percentile

Affected Products

VendorProductVersions
github.comcharmbracelet/soft-serve0
charmbraceletsoft-serve< 0.11.2
charmsoft_serve0

Timeline

  • Jan 8, 2026 CVE Published
  • Jan 9, 2026 EPSS Score
  • Jan 12, 2026 EPSS Score
  • Jan 15, 2026 EPSS Score
  • Jan 18, 2026 EPSS Score
  • Jan 21, 2026 EPSS Score
  • Jan 25, 2026 EPSS Score
  • Jan 28, 2026 EPSS Score
  • Jan 31, 2026 EPSS Score
  • Feb 3, 2026 EPSS Score
  • Feb 4, 2026 Security Advisory
  • Feb 6, 2026 EPSS Score

References

Open in Interactive Console →
$ Console Community · 100/wk Open console ›