CVE-2026-33353: In Soft Serve, an authenticated repo import can clone server-local private repositories
(updated )
An authorization flaw in repo import allows any authenticated SSH user to clone a server-local Git repository, including another user’s private repo, into a new repository they control. This breaks the private-repository confidentiality boundary and should be treated as High severity.
References
- github.com/advisories/GHSA-xgxp-f695-6vrp
- github.com/charmbracelet/soft-serve
- github.com/charmbracelet/soft-serve/commit/c147421caf234bcfc1570c79d728ecbbe5813e55
- github.com/charmbracelet/soft-serve/releases/tag/v0.11.6
- github.com/charmbracelet/soft-serve/security/advisories/GHSA-xgxp-f695-6vrp
- nvd.nist.gov/vuln/detail/CVE-2026-33353
Code Behaviors & Features
Detect and mitigate CVE-2026-33353 with GitLab Dependency Scanning
Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →