Vulnerability Description
Soft Serve is a self-hostable Git server for the command line. Versions 0.11.2 and below have a critical authentication bypass vulnerability that allows an attacker to impersonate any user (including admin) by "offering" the victim's public key during the SSH handshake before authenticating with their own valid key. This occurs because the user identity is stored in the session context during the "offer" phase and is not cleared if that specific authentication attempt fails. This issue has been fixed in version 0.11.3.
CVSS Score
CRITICAL
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Charm | Soft Serve | < 0.11.3 |
Related Weaknesses (CWE)
References
- https://github.com/charmbracelet/soft-serve/commit/8539f9ad39918b67d612a35785a2bPatch
- https://github.com/charmbracelet/soft-serve/releases/tag/v0.11.3ProductRelease Notes
- https://github.com/charmbracelet/soft-serve/security/advisories/GHSA-pchf-49fh-wVendor Advisory
FAQ
What is CVE-2026-24058?
CVE-2026-24058 is a vulnerability with a CVSS score of 9.8 (CRITICAL). Soft Serve is a self-hostable Git server for the command line. Versions 0.11.2 and below have a critical authentication bypass vulnerability that allows an attacker to impersonate any user (including ...
How severe is CVE-2026-24058?
CVE-2026-24058 has been rated CRITICAL with a CVSS base score of 9.8/10. This is considered a critical vulnerability requiring immediate attention.
Is there a patch for CVE-2026-24058?
Check the references section above for vendor advisories and patch information. Affected products include: Charm Soft Serve.