CVE-2026-30832
Soft Serve: SSRF via unvalidated LFS endpoint in repo import
CVSS Score
9.1
EPSS Score
0.0%
EPSS Percentile
0th
Soft Serve is a self-hostable Git server for the command line. From version 0.6.0 to before version 0.11.4, an authenticated SSH user can force the server to make HTTP requests to internal/private IP addresses by running repo import with a crafted --lfs-endpoint URL. The initial batch request is blind (the response from a metadata endpoint won't parse as valid LFS JSON), but an attacker hosting a fake LFS server can chain this into full read access to internal services by returning download URLs that point at internal targets. This issue has been patched in version 0.11.4.
| CWE | CWE-918 |
| Vendor | charmbracelet |
| Product | soft-serve |
| Published | Mar 7, 2026 |
| Last Updated | Mar 9, 2026 |
Stay Ahead of the Next One
Get instant alerts for charmbracelet soft-serve
Be the first to know when new critical vulnerabilities affecting charmbracelet soft-serve are published โ delivered to Slack, Telegram or Discord.
Get Free Alerts โ
Free ยท No credit card ยท 60 sec setup
CVSS v3 Breakdown
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:L/A:L Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Changed
Confidentiality
High
Integrity
Low
Availability
Low
Affected Versions
charmbracelet / soft-serve
>= 0.6.0, < 0.11.4