CVE-2026-22253
Unknown Unknown - Not Provided
Authorization Bypass in Soft Serve LFS Lock Deletion Endpoint

Publication date: 2026-01-08

Last updated on: 2026-02-02

Assigner: GitHub, Inc.

Description
Soft Serve is a self-hostable Git server for the command line. Prior to version 0.11.2, an authorization bypass in the LFS lock deletion endpoint allows any authenticated user with repository write access to delete locks owned by other users by setting the force flag. The vulnerable code path processes force deletions before retrieving user context, bypassing ownership validation entirely. This issue has been patched in version 0.11.2.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-01-08
Last Modified
2026-02-02
Generated
2026-06-16
AI Q&A
2026-01-08
EPSS Evaluated
2026-06-15
NVD
CVE-2026-22253
EUVD
EUVD-2026-1424
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
charmbracelet soft-serve to 0.11.2 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-863 The product performs an authorization check when an actor attempts to access a resource or perform an action, but it does not correctly perform the check.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

CVE-2026-22253 is an authorization bypass vulnerability in the Soft Serve Git server's Large File Storage (LFS) lock deletion endpoint. Before version 0.11.2, any authenticated user with write access to a repository could delete LFS locks owned by other users by setting a 'force' flag in the deletion request. The vulnerability occurs because the code processes the force deletion before verifying the user's identity and ownership of the lock, allowing unauthorized deletion of locks without proper permission checks. [1]

Impact Analysis

This vulnerability allows an authenticated user with write access to a repository to delete LFS locks owned by other users without authorization. This can disrupt collaborative workflows by removing file locks that coordinate access, potentially causing conflicts or data integrity issues. However, it does not grant access to the files themselves, escalate repository permissions, or affect repositories where the attacker lacks write access. [1]

Detection Guidance

This vulnerability can be detected by monitoring POST requests to the LFS lock deletion endpoint that include the force flag set to true. Specifically, look for requests to the endpoint pattern POST /<repo>.git/info/lfs/locks/:lockID/unlock where an authenticated user with write access deletes locks owned by other users with the force flag. Detection can involve inspecting server logs or network traffic for such requests that return HTTP 200 OK when the user is not the lock owner. Commands to detect this might include using tools like curl or HTTP log analysis to identify force deletion attempts, for example: curl -X POST -H "Authorization: Bearer <token>" -d '{"force":true}' https://your-soft-serve-instance/<repo>.git/info/lfs/locks/<lockID>/unlock and checking if the response is 200 OK despite the user not owning the lock. Additionally, reviewing server access logs for such POST requests with force=true from non-admin users can help detect exploitation attempts. [1]

Mitigation Strategies

Immediate mitigation steps include upgrading Soft Serve to version 0.11.2 or later, where the vulnerability is patched. The patch ensures that user context is retrieved before processing force deletions and restricts force deletion of LFS locks to admin users only. If upgrading immediately is not possible, restrict write access to repositories to trusted users only, and monitor for suspicious force deletion requests. Additionally, consider disabling LFS lock deletion or the force flag functionality temporarily if feasible until the patch can be applied. [1, 2]

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-22253. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart