CVE-2026-22253
Authorization Bypass in Soft Serve LFS Lock Deletion Endpoint
Publication date: 2026-01-08
Last updated on: 2026-02-02
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| charmbracelet | soft-serve | to 0.11.2 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-863 | The product performs an authorization check when an actor attempts to access a resource or perform an action, but it does not correctly perform the check. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2026-22253 is an authorization bypass vulnerability in the Soft Serve Git server's Large File Storage (LFS) lock deletion endpoint. Before version 0.11.2, any authenticated user with write access to a repository could delete LFS locks owned by other users by setting a 'force' flag in the deletion request. The vulnerability occurs because the code processes the force deletion before verifying the user's identity and ownership of the lock, allowing unauthorized deletion of locks without proper permission checks. [1]
How can this vulnerability impact me? :
This vulnerability allows an authenticated user with write access to a repository to delete LFS locks owned by other users without authorization. This can disrupt collaborative workflows by removing file locks that coordinate access, potentially causing conflicts or data integrity issues. However, it does not grant access to the files themselves, escalate repository permissions, or affect repositories where the attacker lacks write access. [1]
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability can be detected by monitoring POST requests to the LFS lock deletion endpoint that include the force flag set to true. Specifically, look for requests to the endpoint pattern POST /<repo>.git/info/lfs/locks/:lockID/unlock where an authenticated user with write access deletes locks owned by other users with the force flag. Detection can involve inspecting server logs or network traffic for such requests that return HTTP 200 OK when the user is not the lock owner. Commands to detect this might include using tools like curl or HTTP log analysis to identify force deletion attempts, for example: curl -X POST -H "Authorization: Bearer <token>" -d '{"force":true}' https://your-soft-serve-instance/<repo>.git/info/lfs/locks/<lockID>/unlock and checking if the response is 200 OK despite the user not owning the lock. Additionally, reviewing server access logs for such POST requests with force=true from non-admin users can help detect exploitation attempts. [1]
What immediate steps should I take to mitigate this vulnerability?
Immediate mitigation steps include upgrading Soft Serve to version 0.11.2 or later, where the vulnerability is patched. The patch ensures that user context is retrieved before processing force deletions and restricts force deletion of LFS locks to admin users only. If upgrading immediately is not possible, restrict write access to repositories to trusted users only, and monitor for suspicious force deletion requests. Additionally, consider disabling LFS lock deletion or the force flag functionality temporarily if feasible until the patch can be applied. [1, 2]