CVE-2026-33353

Soft Serve is a self-hostable Git server for the command line. From version 0.6.0 to before version 0.11.6, an authorization flaw in repo import allows any authenticated SSH user to clone a server-local Git repository, including another user's private repo, into a new repository they control. This issue has been patched in version 0.11.6.

CVSS v3 6.5 MEDIUM

6.5^/10

CVSS v3 : MEDIUM

Vector :

Exploitability : 2.8 / Impact : 3.6

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required LOW

User Interaction NONE

Confidentiality Impact HIGH

Integrity Impact NONE

Availability Impact NONE

Scope UNCHANGED

References

Link	Resource
https://github.com/charmbracelet/soft-serve/commit/c147421caf234bcfc1570c79d728ecbbe5813e55	Patch
https://github.com/charmbracelet/soft-serve/releases/tag/v0.11.6	Product Release Notes
https://github.com/charmbracelet/soft-serve/security/advisories/GHSA-xgxp-f695-6vrp	Exploit Vendor Advisory
https://github.com/charmbracelet/soft-serve/security/advisories/GHSA-xgxp-f695-6vrp	Exploit Vendor Advisory

Configurations

Configuration 1 (hide)

cpe:2.3:a:charm:soft_serve:*:*:*:*:*:go:*:*

History

No history.

Information

Published : 2026-03-24 20:16

Updated : 2026-03-25 21:59

NVD link : CVE-2026-33353

Mitre link : CVE-2026-33353

CVE.ORG link : CVE-2026-33353

JSON object : View

Products Affected

charm

soft_serve

CWE

CWE-200

Exposure of Sensitive Information to an Unauthorized Actor

CWE-862

Missing Authorization

{"id": "CVE-2026-33353", "cveTags": [], "metrics": {"cvssMetricV31": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 6.5, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "LOW", "confidentialityImpact": "HIGH"}, "impactScore": 3.6, "exploitabilityScore": 2.8}], "cvssMetricV40": [{"type": "Secondary", "source": "security-advisories@github.com", "cvssData": {"Safety": "NOT_DEFINED", "version": "4.0", "Recovery": "NOT_DEFINED", "baseScore": 7.1, "Automatable": "NOT_DEFINED", "attackVector": "NETWORK", "baseSeverity": "HIGH", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "exploitMaturity": "NOT_DEFINED", "providerUrgency": "NOT_DEFINED", "userInteraction": "NONE", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "LOW", "subIntegrityImpact": "NONE", "vulnIntegrityImpact": "NONE", "integrityRequirement": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "subAvailabilityImpact": "NONE", "vulnAvailabilityImpact": "NONE", "availabilityRequirement": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "subConfidentialityImpact": "NONE", "vulnConfidentialityImpact": "HIGH", "confidentialityRequirement": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "vulnerabilityResponseEffort": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED"}}]}, "published": "2026-03-24T20:16:29.573", "references": [{"url": "https://github.com/charmbracelet/soft-serve/commit/c147421caf234bcfc1570c79d728ecbbe5813e55", "tags": ["Patch"], "source": "security-advisories@github.com"}, {"url": "https://github.com/charmbracelet/soft-serve/releases/tag/v0.11.6", "tags": ["Product", "Release Notes"], "source": "security-advisories@github.com"}, {"url": "https://github.com/charmbracelet/soft-serve/security/advisories/GHSA-xgxp-f695-6vrp", "tags": ["Exploit", "Vendor Advisory"], "source": "security-advisories@github.com"}, {"url": "https://github.com/charmbracelet/soft-serve/security/advisories/GHSA-xgxp-f695-6vrp", "tags": ["Exploit", "Vendor Advisory"], "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0"}], "vulnStatus": "Analyzed", "weaknesses": [{"type": "Secondary", "source": "security-advisories@github.com", "description": [{"lang": "en", "value": "CWE-200"}, {"lang": "en", "value": "CWE-862"}]}], "descriptions": [{"lang": "en", "value": "Soft Serve is a self-hostable Git server for the command line. From version 0.6.0 to before version 0.11.6, an authorization flaw in repo import allows any authenticated SSH user to clone a server-local Git repository, including another user's private repo, into a new repository they control. This issue has been patched in version 0.11.6."}, {"lang": "es", "value": "Soft Serve es un servidor Git autoalojable para la l\u00ednea de comandos. Desde la versi\u00f3n 0.6.0 hasta antes de la versi\u00f3n 0.11.6, una falla de autorizaci\u00f3n en la importaci\u00f3n de repositorios permite a cualquier usuario SSH autenticado clonar un repositorio Git local del servidor, incluyendo el repositorio privado de otro usuario, en un nuevo repositorio que ellos controlan. Este problema ha sido parcheado en la versi\u00f3n 0.11.6."}], "lastModified": "2026-03-25T21:59:38.923", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:charm:soft_serve:*:*:*:*:*:go:*:*", "vulnerable": true, "matchCriteriaId": "EDBD42A1-C2A7-4A84-AA41-6317A9812FF7", "versionEndExcluding": "0.11.6", "versionStartIncluding": "0.6.0"}], "operator": "OR"}]}], "sourceIdentifier": "security-advisories@github.com"}