CVE-2026-24058: Soft Serve Affected by an Authentication Bypass
(updated )
What kind of vulnerability is it? Who is impacted?
This issue impacts every Soft Serve instance.
A critical authentication bypass allows an attacker to impersonate any user (including Admin) by “offering” the victim’s public key during the SSH handshake before authenticating with their own valid key. This occurs because the user identity is stored in the session context during the “offer” phase and is not cleared if that specific authentication attempt fails.
References
- github.com/advisories/GHSA-pchf-49fh-w34r
- github.com/charmbracelet/soft-serve
- github.com/charmbracelet/soft-serve/commit/8539f9ad39918b67d612a35785a2b4326efc8741
- github.com/charmbracelet/soft-serve/releases/tag/v0.11.3
- github.com/charmbracelet/soft-serve/security/advisories/GHSA-pchf-49fh-w34r
- nvd.nist.gov/vuln/detail/CVE-2026-24058
Code Behaviors & Features
Detect and mitigate CVE-2026-24058 with GitLab Dependency Scanning
Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →