VDB
CVE-2026-24058
CVE-2026-24058
PUBLISHED
CVSS 8.100000381469727 HIGH
Soft Serve is a self-hostable Git server for the command line. Versions 0.11.2 and below have a critical authentication bypass vulnerability that allows an attacker to impersonate any user (including admin) by "offering" the victim's public key during the SSH handshake before authenticating with their own valid key. This occurs because the user identity is stored in the session context during the "offer" phase and is not cleared if that specific authentication attempt fails. This issue has been fixed in version 0.11.3.
EPSS 0.05% · 16.7th percentile
Risk Scores
CVSS v4.0
8.100000381469727
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U
EPSS Score
0.05%
16.7th percentile
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| charm | soft_serve | 0, 0 |
| github.com | charmbracelet/soft-serve | 0, 0 |
| charmbracelet | soft-serve | < 0.11.3, * |
Timeline
- Jan 21, 2026 CVE Published
- Jan 22, 2026 PoC Published
- Jan 23, 2026 CVE Updated
- Jan 23, 2026 EPSS Score
- Jan 26, 2026 EPSS Score
- Jan 28, 2026 EPSS Score
- Jan 30, 2026 Security Advisory
- Jan 31, 2026 EPSS Score
- Feb 2, 2026 EPSS Score
- Feb 5, 2026 EPSS Score
- Feb 8, 2026 EPSS Score
- Feb 10, 2026 EPSS Score
References
- https://github.com/charmbracelet/soft-serve/security/advisories/GHSA-pchf-49fh-w34r url
- https://github.com/charmbracelet/soft-serve/commit/8539f9ad39918b67d612a35785a2b4326efc8741 url
- https://github.com/charmbracelet/soft-serve/releases/tag/v0.11.3 url
- https://nvd.nist.gov/vuln/detail/CVE-2026-24058 advisory
- https://github.com/charmbracelet/soft-serve package