CVE-2026-24058
published 2026-01-22CVE-2026-24058: Soft Serve is a self-hostable Git server for the command line. Versions 0.11.2 and below have a critical authentication bypass vulnerability that allows an…
PriorityP269critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
EPSS
0.53%
40.9th percentile
Soft Serve is a self-hostable Git server for the command line. Versions 0.11.2 and below have a critical authentication bypass vulnerability that allows an attacker to impersonate any user (including admin) by "offering" the victim's public key during the SSH handshake before authenticating with their own valid key. This occurs because the user identity is stored in the session context during the "offer" phase and is not cleared if that specific authentication attempt fails. This issue has been fixed in version 0.11.3.
Affected
3 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| charm | soft_serve | < 0.11.3 | 0.11.3 |
| charmbracelet | soft-serve | < 0.11.3 | 0.11.3 |
| github.com | charmbracelet_soft-serve | >= 0 < 0.11.3 | 0.11.3 |
Detection & IOCsextracted from sources · hover to see the quote
- →Authentication bypass occurs when an attacker 'offers' a victim's public key during the SSH handshake before authenticating with their own valid key — monitor SSH sessions where the offered public key identity differs from the key that ultimately succeeds authentication. ↗
- →The vulnerable condition is that user identity set during the SSH key 'offer' phase persists in session context even after that authentication attempt fails — look for session context retaining a user identity that was never successfully authenticated. ↗
CVSS provenance
nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv4.08.1HIGHCVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
OSV
Soft Serve Affected by an Authentication Bypass in github.com/charmbracelet/soft-serve
osv·2026-02-02
CVE-2026-24058 Soft Serve Affected by an Authentication Bypass in github.com/charmbracelet/soft-serve
Soft Serve Affected by an Authentication Bypass in github.com/charmbracelet/soft-serve
Soft Serve Affected by an Authentication Bypass in github.com/charmbracelet/soft-serve
OSV
Soft Serve Affected by an Authentication Bypass
osv·2026-01-21
CVE-2026-24058 [HIGH] Soft Serve Affected by an Authentication Bypass
Soft Serve Affected by an Authentication Bypass
### Impact
_What kind of vulnerability is it? Who is impacted?_
This issue impacts every Soft Serve instance.
A critical authentication bypass allows an attacker to impersonate any user (including Admin) by "offering" the victim's public key during the SSH handshake before authenticating with their own valid key. This occurs because the user identity is stored in the session context during the "offer" phase and is not cleared if that specific authentication attempt fails.
### Patches
_Has the problem been patched? What versions should users upgrade to?_
Yes, please upgrade to version 0.11.3 as soon as possible.
### Workarounds
_Is there a way for users to fix or remediate the vulnerability without upgrading?_
You need to upgrade
GHSA
Soft Serve Affected by an Authentication Bypass
ghsa·2026-01-21
CVE-2026-24058 [HIGH] CWE-289 Soft Serve Affected by an Authentication Bypass
Soft Serve Affected by an Authentication Bypass
### Impact
_What kind of vulnerability is it? Who is impacted?_
This issue impacts every Soft Serve instance.
A critical authentication bypass allows an attacker to impersonate any user (including Admin) by "offering" the victim's public key during the SSH handshake before authenticating with their own valid key. This occurs because the user identity is stored in the session context during the "offer" phase and is not cleared if that specific authentication attempt fails.
### Patches
_Has the problem been patched? What versions should users upgrade to?_
Yes, please upgrade to version 0.11.3 as soon as possible.
### Workarounds
_Is there a way for users to fix or remediate the vulnerability without upgrading?_
You need to upgrade
No detection rules found.
No public exploits indexed.
2026-01-22
Published