CVE-2026-33353: In Soft Serve, an authenticated repo import can clone server-local private repositories

March 19, 2026

An authorization flaw in repo import allows any authenticated SSH user to clone a server-local Git repository, including another user’s private repo, into a new repository they control. This breaks the private-repository confidentiality boundary and should be treated as High severity.

References

github.com/advisories/GHSA-xgxp-f695-6vrp
github.com/charmbracelet/soft-serve
github.com/charmbracelet/soft-serve/security/advisories/GHSA-xgxp-f695-6vrp
nvd.nist.gov/vuln/detail/CVE-2026-33353

Code Behaviors & Features

Detect and mitigate CVE-2026-33353 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →