CVE-2026-22253

Medium CVSS: 5.4

Soft Serve is a self-hostable Git server for the command line. Prior to version 0.11.2, an authorization bypass in the LFS lock deletion endpoint allows any authenticated user with repository write access to delete locks owned by other users by setting the force flag. The vulnerable code path processes force deletions before retrieving user context, bypassing ownership validation entirely. This issue has been patched in version 0.11.2.

Vendor

Charm

Product

Soft Serve

CWE

CWE-863

Yayın Tarihi

2026-01-08 19:15:59

Güncelleme

2026-02-02 17:09:22

Source Identifier

security-advisories@github.com

KEV Date Added

Kategoriler

CWE-863 Soft Serve MEDIUM Charm 2026

Referanslar

https://github.com/charmbracelet/soft-serve/commit/000ab5164f0be68cf1ea6b6e7227f11c0e388a42 https://github.com/charmbracelet/soft-serve/security/advisories/GHSA-6jm8-x3g6-r33j

Benzer Kayıtlar

High

CVE-2026-33353

Soft Serve is a self-hostable Git server for the command line. From version 0.6.0 to before version 0.11.6, an authoriza…

Critical

CVE-2026-30832

Soft Serve is a self-hostable Git server for the command line. From version 0.6.0 to before version 0.11.4, an authentic…

High

CVE-2026-24058

Soft Serve is a self-hostable Git server for the command line. Versions 0.11.2 and below have a critical authentication…

Critical

CVE-2025-64522

Soft Serve is a self-hostable Git server for the command line. Versions prior to 0.11.1 have a SSRF vulnerability where…

Medium

CVE-2025-22130

Soft Serve is a self-hostable Git server for the command line. Prior to 0.8.2 , a path traversal attack allows existing…