MEDIUM🇵🇱 Wersja polska

CVE-2026-22253

CVSS 5.4v3.1pub. 2026-01-08upd. 2026-02-02

Soft Serve is a self-hostable Git server for the command line. Prior to version 0.11.2, an authorization bypass in the LFS lock deletion endpoint allows any authenticated user with repository write access to delete locks owned by other users by setting the force flag. The vulnerable code path processes force deletions before retrieving user context, bypassing ownership validation entirely. This issue has been patched in version 0.11.2.

CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:L
  • Charm Soft Serve

    APP
    Charm
    < 0.11.2
🔵
CHECK WITH VENDOR
No clear patch data available. Check vendor references.
CWE
References

Related vulnerabilities

CVE-2026-30832CRITICAL9.1PL ✓ten sam produkt

SSRF w Soft Serve — dostęp do wewnętrznych usług przez LFS endpoint

CVE-2025-64522CRITICAL9.1PL ✓ten sam produkt

SSRF w Soft Serve — webhooks bez walidacji URL umożliwiają dostęp do sieci wewnętrznej

CVE-2026-33353HIGH7.1ten sam produkt

Soft Serve is a self-hostable Git server for the command line. From version 0.6.0 to before version 0.11.6, an...

CVE-2026-24058HIGH8.1ten sam produkt

Soft Serve is a self-hostable Git server for the command line. Versions 0.11.2 and below have a critical authe...

CVE-2023-43809HIGH7.5ten sam produkt

Soft Serve is a self-hostable Git server for the command line. Prior to version 0.6.2, a security vulnerabilit...