High severityNVD Advisory· Published Mar 24, 2026· Updated Mar 25, 2026
Soft Serve: Authenticated repo import can clone server-local private repositories
CVE-2026-33353
Description
Soft Serve is a self-hostable Git server for the command line. From version 0.6.0 to before version 0.11.6, an authorization flaw in repo import allows any authenticated SSH user to clone a server-local Git repository, including another user's private repo, into a new repository they control. This issue has been patched in version 0.11.6.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
github.com/charmbracelet/soft-serveGo | >= 0.6.0, < 0.11.6 | 0.11.6 |
Affected products
3- ghsa-coords2 versionspkg:golang/github.com/charmbracelet/soft-servepkg:rpm/opensuse/govulncheck-vulndb&distro=openSUSE%20Leap%2015.6
>= 0.6.0, < 0.11.6+ 1 more
- (no CPE)range: >= 0.6.0, < 0.11.6
- (no CPE)range: < 0.0.20260326T203309-150000.1.155.2
- Range: >= 0.6.0, < 0.11.6
Patches
Vulnerability mechanics
References
5- github.com/advisories/GHSA-xgxp-f695-6vrpghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2026-33353ghsaADVISORY
- github.com/charmbracelet/soft-serve/commit/c147421caf234bcfc1570c79d728ecbbe5813e55ghsax_refsource_MISCWEB
- github.com/charmbracelet/soft-serve/releases/tag/v0.11.6ghsax_refsource_MISCWEB
- github.com/charmbracelet/soft-serve/security/advisories/GHSA-xgxp-f695-6vrpghsax_refsource_CONFIRMWEB
News mentions
0No linked articles in our index yet.