cbcvebase.
CVE-2026-24058
published 2026-01-22

CVE-2026-24058: Soft Serve is a self-hostable Git server for the command line. Versions 0.11.2 and below have a critical authentication bypass vulnerability that allows an…

PriorityP269critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
EPSS
0.53%
40.9th percentile
Soft Serve is a self-hostable Git server for the command line. Versions 0.11.2 and below have a critical authentication bypass vulnerability that allows an attacker to impersonate any user (including admin) by "offering" the victim's public key during the SSH handshake before authenticating with their own valid key. This occurs because the user identity is stored in the session context during the "offer" phase and is not cleared if that specific authentication attempt fails. This issue has been fixed in version 0.11.3.

Affected

3 ranges
VendorProductVersion rangeFixed in
charmsoft_serve< 0.11.30.11.3
charmbraceletsoft-serve< 0.11.30.11.3
github.comcharmbracelet_soft-serve>= 0 < 0.11.30.11.3

Detection & IOCsextracted from sources · hover to see the quote

  • Authentication bypass occurs when an attacker 'offers' a victim's public key during the SSH handshake before authenticating with their own valid key — monitor SSH sessions where the offered public key identity differs from the key that ultimately succeeds authentication.
  • The vulnerable condition is that user identity set during the SSH key 'offer' phase persists in session context even after that authentication attempt fails — look for session context retaining a user identity that was never successfully authenticated.

CVSS provenance

nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv4.08.1HIGHCVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Stop checking back — get the weekly exploitation signal.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.