CVE-2026-22253

Exploit

EPSS 0.27%
Veröffentlicht 08.01.2026 18:39:57
Zuletzt bearbeitet 02.02.2026 17:09:22
Quelle security-advisories@github.com
CVE-Watchlists
Login
Unerledigt
Login

Soft Serve is missing an authorization check in LFS lock deletion

Soft Serve is a self-hostable Git server for the command line. Prior to version 0.11.2, an authorization bypass in the LFS lock deletion endpoint allows any authenticated user with repository write access to delete locks owned by other users by setting the force flag. The vulnerable code path processes force deletions before retrieving user context, bypassing ownership validation entirely. This issue has been patched in version 0.11.2.

Betroffene Produkte Warnungen 0 Metriken 3 CWE 1 Referenzen 5

NVD 1 VulnDex Vulnerability Enrichment 0

Daten sind bereitgestellt durch National Vulnerability Database (NVD)

Charm ≫ Soft Serve SwPlatformgo Version < 0.11.2

Zu dieser CVE wurde keine Warnung gefunden.

EPSS Metriken
Typ	Quelle	Score	Percentile
EPSS	FIRST.org	0.27%	0.189

CVSS Metriken
Quelle	Base Score	Exploit Score	Impact Score	Vector String
nvd@nist.gov	5.4	2.8	2.5	CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:L
security-advisories@github.com	5.4	2.8	2.5	CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:L

CWE-863 Incorrect Authorization

The product performs an authorization check when an actor attempts to access a resource or perform an action, but it does not correctly perform the check.

https://github.com/charmbracelet/soft-serve/security/advisories/GHSA-6jm8-x3g6-r33j

Vendor Advisory

Exploit

https://github.com/charmbracelet/soft-serve/commit/000ab5164f0be68cf1ea6b6e7227f11c0e388a42

Patch

https://nvd.nist.gov/vuln/detail/CVE-2026-22253

CVE Source (NVD)

https://cveawg.mitre.org/api/cve/CVE-2026-22253

CVE Source (JSON)

https://euvd.enisa.europa.eu/vulnerability/CVE-2026-22253

EUVD

Team-orientierte Vulnerability Management Plattform

Features der Plattform

CVE-2026-22253