CVE-2026-22253

Published: Jan 8, 2026Modified: Feb 2, 2026

5.4

Vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:L

Exploitability: 2.8 / Impact: 2.5

Source: NVD

Description

Soft Serve is a self-hostable Git server for the command line. Prior to version 0.11.2, an authorization bypass in the LFS lock deletion endpoint allows any authenticated user with repository write access to delete locks owned by other users by setting the force flag. The vulnerable code path processes force deletions before retrieving user context, bypassing ownership validation entirely. This issue has been patched in version 0.11.2.

Affected (1)

Products: Charm: Soft Serve

1 product

Configuration A

1 vulnerable

Vulnerable Software	Affected Versions
Charm Soft Serve	Before 0.11.2

Related CWEs

Incorrect Authorization

The product performs an authorization check when an actor attempts to access a resource or perform an action, but it does not correctly perform the check. This allows attackers to bypass intended access restrictions.

References (2)

https://github.com/charmbracelet/soft-serve/commit/000ab5164f0be68cf1ea6b6e7227f11c0e388a42

Source: security-advisories@github.com

Patch

https://github.com/charmbracelet/soft-serve/security/advisories/GHSA-6jm8-x3g6-r33j

Source: security-advisories@github.com

ExploitVendor Advisory

Timeline

No history available yet.