CVE-2026-24058
Authentication Bypass in Soft Serve Git Server Allows User Impersonation
Publication date: 2026-01-22
Last updated on: 2026-02-18
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| charm | soft_serve | to 0.11.3 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-289 | The product performs authentication based on the name of a resource being accessed, or the name of the actor performing the access, but it does not properly check all possible names for that resource or actor. |
Attack-Flow Graph
AI Powered Q&A
What immediate steps should I take to mitigate this vulnerability?
Upgrade Soft Serve to version 0.11.3 or later, as this version contains the fix for the critical authentication bypass vulnerability.
Can you explain this vulnerability to me?
This vulnerability is a critical authentication bypass in Soft Serve (a self-hostable Git server). In versions 0.11.2 and below, an attacker can impersonate any user, including administrators, by 'offering' the victim's public key during the SSH handshake before authenticating with their own valid key. The issue arises because the user identity is stored in the session context during the 'offer' phase and is not cleared if that authentication attempt fails, allowing the attacker to bypass authentication.
How can this vulnerability impact me? :
This vulnerability can allow an attacker to impersonate any user on the Soft Serve Git server, including administrators. This means the attacker could gain unauthorized access to repositories, modify code, access sensitive information, or perform administrative actions, potentially compromising the integrity and confidentiality of your codebase and related data.