CVE-2026-33353

Published: Mar 24, 2026Modified: Mar 25, 2026

7.1

Vector

CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Show more

CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:XShow less

Source: security-advisories@github.com (Secondary)

Description

Soft Serve is a self-hostable Git server for the command line. From version 0.6.0 to before version 0.11.6, an authorization flaw in repo import allows any authenticated SSH user to clone a server-local Git repository, including another user's private repo, into a new repository they control. This issue has been patched in version 0.11.6.

Affected (1)

Products: Charm: Soft Serve

1 product

Configuration A

1 vulnerable

Vulnerable Software	Affected Versions
Charm Soft Serve	From 0.6.0 to 0.11.6

Related CWEs

Exposure of Sensitive Information to an Unauthorized Actor

The product exposes sensitive information to an actor that is not explicitly authorized to have access to that information.

Missing Authorization

The product does not perform an authorization check when an actor attempts to access a resource or perform an action.

References (4)

https://github.com/charmbracelet/soft-serve/commit/c147421caf234bcfc1570c79d728ecbbe5813e55

Source: security-advisories@github.com

Patch

https://github.com/charmbracelet/soft-serve/releases/tag/v0.11.6

Source: security-advisories@github.com

ProductRelease Notes

https://github.com/charmbracelet/soft-serve/security/advisories/GHSA-xgxp-f695-6vrp

Source: security-advisories@github.com

ExploitVendor Advisory

https://github.com/charmbracelet/soft-serve/security/advisories/GHSA-xgxp-f695-6vrp

Source: 134c704f-9b21-4f2e-91b3-4a467353bcc0

ExploitVendor Advisory

Timeline

No history available yet.