CVE-2026-30832
📋 TL;DR
This vulnerability in Soft Serve allows authenticated SSH users to perform Server-Side Request Forgery (SSRF) attacks by exploiting the repo import feature with a crafted LFS endpoint URL. Attackers can chain this to read internal services, potentially exposing sensitive data. Users running Soft Serve versions 0.6.0 through 0.11.3 are affected.
💻 Affected Systems
- Soft Serve
⚠️ Manual Verification Required
This CVE does not have specific version information in our database, so automatic vulnerability detection cannot determine if your system is affected.
Why? The CVE database entry doesn't specify which versions are vulnerable (no version ranges provided by the vendor/NVD).
🔒 Custom verification scripts are available for registered users. Sign up free to download automated test scripts.
- Review the CVE details at NVD
- Check vendor security advisories for your specific version
- Test if the vulnerability is exploitable in your environment
- Consider updating to the latest version as a precaution
⚠️ Risk & Real-World Impact
Worst Case
Full read access to internal services, data exfiltration, and potential lateral movement within internal networks.
Likely Case
Unauthorized access to internal HTTP services, exposure of sensitive internal data, and potential credential harvesting.
If Mitigated
Limited impact with proper network segmentation and egress filtering, but still poses authentication bypass risk.
🎯 Exploit Status
Requires attacker to host a malicious LFS server and have authenticated SSH access; chaining required for full exploitation.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 0.11.4
Vendor Advisory: https://github.com/charmbracelet/soft-serve/security/advisories/GHSA-3fvx-xrxq-8jvv
Restart Required: Yes
Instructions:
1. Stop Soft Serve service. 2. Update to version 0.11.4 or later using your package manager or manual installation. 3. Restart Soft Serve service.
🔧 Temporary Workarounds
Disable repo import feature
allPrevent users from importing repositories which triggers the vulnerable code path
Configure Soft Serve to disable repository imports in server configuration
Network egress filtering
linuxBlock outbound HTTP requests from Soft Serve server to internal IP ranges
Configure firewall rules to block Soft Serve process from making HTTP requests to RFC1918 addresses
🧯 If You Can't Patch
- Implement strict network segmentation to isolate Soft Serve from other internal services
- Monitor and alert on outbound HTTP requests from Soft Serve to internal IP addresses
🔍 How to Verify
Check if Vulnerable:
Check Soft Serve version; if between 0.6.0 and 0.11.3 inclusive, you are vulnerableCheck Version:
soft-serve --versionVerify Fix Applied:
Confirm version is 0.11.4 or later and test repo import with internal URLs fails📡 Detection & Monitoring
Log Indicators:
- Unusual repo import activity
- HTTP requests to internal IP addresses from Soft Serve process
- Failed LFS operations with unusual endpoints
Network Indicators:
- Outbound HTTP requests from Soft Serve to RFC1918 addresses
- SSH sessions followed by HTTP traffic to unusual internal destinations
SIEM Query:
source="soft-serve" AND (event="import" OR event="lfs") AND dest_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16)