← Volver a CVEs
CVE-2026-22253
MEDIUM5.4
Descripcion
Soft Serve is a self-hostable Git server for the command line. Prior to version 0.11.2, an authorization bypass in the LFS lock deletion endpoint allows any authenticated user with repository write access to delete locks owned by other users by setting the force flag. The vulnerable code path processes force deletions before retrieving user context, bypassing ownership validation entirely. This issue has been patched in version 0.11.2.
Detalles CVE
Puntuacion CVSS v3.15.4
SeveridadMEDIUM
Vector CVSSCVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:L
Vector de ataqueNETWORK
ComplejidadLOW
Privilegios requeridosLOW
Interaccion usuarioNONE
Publicado1/8/2026
Ultima modificacion2/2/2026
Fuentenvd
Avistamientos honeypot0
Productos afectados
charm:soft_serve
Debilidades (CWE)
CWE-863
Referencias
https://github.com/charmbracelet/soft-serve/commit/000ab5164f0be68cf1ea6b6e7227f11c0e388a42(security-advisories@github.com)
https://github.com/charmbracelet/soft-serve/security/advisories/GHSA-6jm8-x3g6-r33j(security-advisories@github.com)
Correlaciones IOC
Sin correlaciones registradas
This product uses data from the NVD API but is not endorsed or certified by the NVD.