Vulnerability Description
Soft Serve is a self-hostable Git server for the command line. From version 0.6.0 to before version 0.11.4, an authenticated SSH user can force the server to make HTTP requests to internal/private IP addresses by running repo import with a crafted --lfs-endpoint URL. The initial batch request is blind (the response from a metadata endpoint won't parse as valid LFS JSON), but an attacker hosting a fake LFS server can chain this into full read access to internal services by returning download URLs that point at internal targets. This issue has been patched in version 0.11.4.
CVSS Score
CRITICAL
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Charm | Soft Serve | >= 0.6.0, < 0.11.4 |
Related Weaknesses (CWE)
References
- https://github.com/charmbracelet/soft-serve/commit/3ef660098ab37a7950457da8ecc25Patch
- https://github.com/charmbracelet/soft-serve/releases/tag/v0.11.4ProductRelease Notes
- https://github.com/charmbracelet/soft-serve/security/advisories/GHSA-3fvx-xrxq-8ExploitMitigationVendor Advisory
FAQ
What is CVE-2026-30832?
CVE-2026-30832 is a vulnerability with a CVSS score of 9.1 (CRITICAL). Soft Serve is a self-hostable Git server for the command line. From version 0.6.0 to before version 0.11.4, an authenticated SSH user can force the server to make HTTP requests to internal/private IP ...
How severe is CVE-2026-30832?
CVE-2026-30832 has been rated CRITICAL with a CVSS base score of 9.1/10. This is considered a critical vulnerability requiring immediate attention.
Is there a patch for CVE-2026-30832?
Check the references section above for vendor advisories and patch information. Affected products include: Charm Soft Serve.