CVE-2026-24058
Unknown Unknown - Not Provided
Authentication Bypass in Soft Serve Git Server Allows User Impersonation

Publication date: 2026-01-22

Last updated on: 2026-02-18

Assigner: GitHub, Inc.

Description
Soft Serve is a self-hostable Git server for the command line. Versions 0.11.2 and below have a critical authentication bypass vulnerability that allows an attacker to impersonate any user (including admin) by "offering" the victim's public key during the SSH handshake before authenticating with their own valid key. This occurs because the user identity is stored in the session context during the "offer" phase and is not cleared if that specific authentication attempt fails. This issue has been fixed in version 0.11.3.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-01-22
Last Modified
2026-02-18
Generated
2026-06-16
AI Q&A
2026-01-23
EPSS Evaluated
2026-06-15
NVD
CVE-2026-24058
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
charm soft_serve to 0.11.3 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-289 The product performs authentication based on the name of a resource being accessed, or the name of the actor performing the access, but it does not properly check all possible names for that resource or actor.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

This vulnerability is a critical authentication bypass in Soft Serve (a self-hostable Git server). In versions 0.11.2 and below, an attacker can impersonate any user, including administrators, by 'offering' the victim's public key during the SSH handshake before authenticating with their own valid key. The issue arises because the user identity is stored in the session context during the 'offer' phase and is not cleared if that authentication attempt fails, allowing the attacker to bypass authentication.

Impact Analysis

This vulnerability can allow an attacker to impersonate any user on the Soft Serve Git server, including administrators. This means the attacker could gain unauthorized access to repositories, modify code, access sensitive information, or perform administrative actions, potentially compromising the integrity and confidentiality of your codebase and related data.

Mitigation Strategies

Upgrade Soft Serve to version 0.11.3 or later, as this version contains the fix for the critical authentication bypass vulnerability.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-24058. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart