Vulnerability Description
Soft Serve is a self-hostable Git server for the command line. From version 0.6.0 to before version 0.11.6, an authorization flaw in repo import allows any authenticated SSH user to clone a server-local Git repository, including another user's private repo, into a new repository they control. This issue has been patched in version 0.11.6.
CVSS Score
MEDIUM
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Charm | Soft Serve | >= 0.6.0, < 0.11.6 |
Related Weaknesses (CWE)
References
- https://github.com/charmbracelet/soft-serve/commit/c147421caf234bcfc1570c79d728ePatch
- https://github.com/charmbracelet/soft-serve/releases/tag/v0.11.6ProductRelease Notes
- https://github.com/charmbracelet/soft-serve/security/advisories/GHSA-xgxp-f695-6ExploitVendor Advisory
- https://github.com/charmbracelet/soft-serve/security/advisories/GHSA-xgxp-f695-6ExploitVendor Advisory
FAQ
What is CVE-2026-33353?
CVE-2026-33353 is a vulnerability with a CVSS score of 6.5 (MEDIUM). Soft Serve is a self-hostable Git server for the command line. From version 0.6.0 to before version 0.11.6, an authorization flaw in repo import allows any authenticated SSH user to clone a server-loc...
How severe is CVE-2026-33353?
CVE-2026-33353 has been rated MEDIUM with a CVSS base score of 6.5/10. Review the CVSS metrics above for detailed severity breakdown.
Is there a patch for CVE-2026-33353?
Check the references section above for vendor advisories and patch information. Affected products include: Charm Soft Serve.