CVE-2026-24058

See a problem?
Please try reporting it to the source first.
Source
https://cve.org/CVERecord?id=CVE-2026-24058
Import Source
https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-24058.json
JSON Data
https://api.osv.dev/v1/vulns/CVE-2026-24058
Aliases
Published
2026-01-22T22:01:22.276Z
Modified
2026-02-20T01:35:50.222391Z
Severity
  • 8.1 (High) CVSS_V4 - CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U CVSS Calculator
Summary
Soft Serve has Critical Authentication Bypass
Details

Soft Serve is a self-hostable Git server for the command line. Versions 0.11.2 and below have a critical authentication bypass vulnerability that allows an attacker to impersonate any user (including admin) by "offering" the victim's public key during the SSH handshake before authenticating with their own valid key. This occurs because the user identity is stored in the session context during the "offer" phase and is not cleared if that specific authentication attempt fails. This issue has been fixed in version 0.11.3.

Database specific 
{
    "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/24xxx/CVE-2026-24058.json",
    "cna_assigner": "GitHub_M",
    "cwe_ids": [
        "CWE-289"
    ]
}
References

Affected packages

Git / github.com/charmbracelet/soft-serve

Affected ranges

Type
GIT
Repo
https://github.com/charmbracelet/soft-serve
Events
Introduced
0 Unknown introduced commit / All previous commits are affected
Fixed
8539f9ad39918b67d612a35785a2b4326efc8741

Affected versions

v0.*
v0.1.0
v0.1.1
v0.1.2
v0.1.3
v0.10.0
v0.11.0
v0.11.1
v0.11.2
v0.2.0
v0.2.1
v0.2.2
v0.2.3
v0.3.0
v0.3.1
v0.3.2
v0.4.0
v0.4.1
v0.4.2
v0.4.3
v0.4.4
v0.4.5
v0.4.6
v0.4.7
v0.5.0
v0.5.1
v0.5.2
v0.5.3
v0.5.4
v0.6.0
v0.6.1
v0.6.2
v0.7.1
v0.7.2
v0.7.3
v0.7.4
v0.7.5
v0.7.6
v0.8.0
v0.8.1
v0.8.2
v0.8.3
v0.8.4
v0.8.5
v0.9.0
v0.9.1

Database specific

source 
"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-24058.json"