CVE-2026-22253: Soft Serve is missing an authorization check in LFS lock deletion

January 8, 2026

An authorization bypass in the LFS lock deletion endpoint allows any authenticated user with repository write access to delete locks owned by other users by setting the force flag. The vulnerable code path processes force deletions before retrieving user context, bypassing ownership validation entirely.

References

github.com/advisories/GHSA-6jm8-x3g6-r33j
github.com/charmbracelet/soft-serve
github.com/charmbracelet/soft-serve/commit/000ab5164f0be68cf1ea6b6e7227f11c0e388a42
github.com/charmbracelet/soft-serve/security/advisories/GHSA-6jm8-x3g6-r33j
nvd.nist.gov/vuln/detail/CVE-2026-22253

Code Behaviors & Features

Detect and mitigate CVE-2026-22253 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →