CVE-2026-24058 – Soft Serve versions 0.11.2 and below have a cri... (How to Fix)

Q: What is the severity of CVE-2026-24058?

CVE-2026-24058 has a CVSS score of 9.8 (CRITICAL). Soft Serve versions 0.11.2 and below have a critical authentication bypass vulnerability that allows attackers to impersonate any user, including administrators, during SSH authentication. This occurs because user identity information persists incorrectly between authentication attempts. Anyone running vulnerable versions of this self-hosted Git server is affected.

📋 TL;DR

Soft Serve versions 0.11.2 and below have a critical authentication bypass vulnerability that allows attackers to impersonate any user, including administrators, during SSH authentication. This occurs because user identity information persists incorrectly between authentication attempts. Anyone running vulnerable versions of this self-hosted Git server is affected.

💻 Affected Systems

Products:

Soft Serve

Versions: Versions 0.11.2 and below

Operating Systems: All platforms running Soft Serve

Default Config Vulnerable: ⚠️ Yes

Notes: All installations of affected versions are vulnerable regardless of configuration.

📦 What is this software?

Soft Serve by Charm

View all CVEs affecting Soft Serve →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete compromise of the Git server with administrative privileges, allowing attackers to read, modify, or delete all repositories, inject malicious code, or use the server as a pivot point to internal networks.

🟠

Likely Case

Unauthorized access to repositories, privilege escalation to admin, data exfiltration, and potential supply chain attacks through repository manipulation.

🟢

If Mitigated

Limited impact if proper network segmentation, monitoring, and access controls are in place, though authentication bypass remains possible.

🌐 Internet-Facing: HIGH - SSH servers exposed to the internet are directly vulnerable to this authentication bypass attack.

🏢 Internal Only: MEDIUM - Internal attackers or compromised internal systems could exploit this, but requires SSH access to the Soft Serve instance.

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: LIKELY

Unauthenticated Exploit: ✅ No

Complexity: LOW

Exploitation requires SSH access to the server but no valid credentials. The attack leverages standard SSH protocol behavior with malicious key offering.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 0.11.3

Vendor Advisory: https://github.com/charmbracelet/soft-serve/security/advisories/GHSA-pchf-49fh-w34r

Restart Required: Yes

Instructions:

1. Stop the Soft Serve service. 2. Update to version 0.11.3 or later using your package manager or by downloading from GitHub releases. 3. Restart the Soft Serve service.

🔧 Temporary Workarounds

Disable SSH access

linux

Temporarily disable SSH access to Soft Serve while planning upgrade

sudo systemctl stop soft-serve
sudo ufw deny 22/tcp

Network restriction

linux

Restrict SSH access to trusted IP addresses only

sudo ufw allow from TRUSTED_IP to any port 22

🧯 If You Can't Patch

Implement strict network access controls to limit SSH connections to trusted sources only
Enable detailed SSH authentication logging and monitor for unusual authentication patterns

🔍 How to Verify

Check if Vulnerable:

Check Soft Serve version: if running 0.11.2 or earlier, you are vulnerable

Check Version:

soft-serve --version

Verify Fix Applied:

Verify version is 0.11.3 or later and test SSH authentication with different user/key combinations

📡 Detection & Monitoring

Log Indicators:

Multiple SSH authentication attempts with different public keys
Successful authentication after previous failed attempts with different user identities
User context changes during SSH session

Network Indicators:

Unusual SSH connection patterns
Multiple public key offerings in single SSH handshake

SIEM Query:

source="ssh" AND ("authentication failure" AND "publickey" AND "offer") OR ("Accepted publickey" AND user!="expected_user")

📊 Metadata

CVE ID: CVE-2026-24058

CVSS v3 Score: 9.8 (CRITICAL)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CWE: CWE-289

EPSS Score: 0.17% exploit probability (38th percentile)

Published: January 22, 2026

Last Updated: February 18, 2026

🔗 References

https://github.com/charmbracelet/soft-serve/commit/8539f9ad39918b67d612a35785a2b4326efc8741 Patch
https://github.com/charmbracelet/soft-serve/releases/tag/v0.11.3 Product,Release Notes
https://github.com/charmbracelet/soft-serve/security/advisories/GHSA-pchf-49fh-w34r Vendor Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2026-24058, you might also want to check these: