CVE-2026-24058
Published: 22 January 2026
Summary
CVE-2026-24058 is a critical-severity Authentication Bypass by Alternate Name (CWE-289) vulnerability in Charm Soft Serve. Its CVSS base score is 9.8 (Critical).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 15.4th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 AU-12 (Audit Record Generation) and AU-3 (Content of Audit Records).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Requires timely remediation of software flaws like the Soft Serve SSH authentication bypass in CVE-2026-24058 by applying patches such as version 0.11.3.
Mandates generation of audit records for authentication events, capturing SSH handshake details to detect victim key offers followed by attacker authentication.
Ensures audit records contain detailed content on user identity, authentication mechanism, and outcome to identify mismatched keys in SSH sessions indicative of exploitation.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
The vulnerability is a remote authentication bypass in a public-facing SSH-based Git server, directly enabling exploitation of external remote services (T1133) and public-facing applications (T1190) to impersonate valid user accounts (T1078) for unauthorized access and admin actions.
NVD Description
Soft Serve is a self-hostable Git server for the command line. Versions 0.11.2 and below have a critical authentication bypass vulnerability that allows an attacker to impersonate any user (including admin) by "offering" the victim's public key during the SSH…
more
handshake before authenticating with their own valid key. This occurs because the user identity is stored in the session context during the "offer" phase and is not cleared if that specific authentication attempt fails. This issue has been fixed in version 0.11.3.
Deeper analysisAI
Soft Serve, a self-hostable Git server designed for command-line use, contains a critical authentication bypass vulnerability in versions 0.11.2 and prior, tracked as CVE-2026-24058. The flaw arises during the SSH handshake, where an attacker can offer a victim's public key before authenticating with their own valid key. This causes the victim's user identity to be stored in the session context during the "offer" phase and not cleared upon failure of that specific authentication attempt, enabling impersonation of any user, including administrators. The vulnerability is rated 9.8 on the CVSS 3.1 scale (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H) and maps to CWE-289 (Authentication Bypass by Alternate Name).
Any unauthenticated attacker with network access to the Soft Serve instance can exploit this vulnerability remotely with low complexity and no privileges required. By initiating an SSH connection, offering a target user's public key (which could be obtained from public sources), and then proceeding with their own successful authentication, the attacker inherits the offered user's identity for the session. This grants full impersonation capabilities, allowing read/write access to repositories, administrative actions, and potential compromise of the entire Git server depending on the victim's privileges.
The issue has been addressed in Soft Serve version 0.11.3, as detailed in the project's security advisory (GHSA-pchf-49fh-w34r), release notes, and the fixing commit (8539f9ad39918b67d612a35785a2b4326efc8741). Security practitioners should immediately upgrade to v0.11.3 or later and audit SSH access logs for suspicious handshake patterns involving mismatched keys.
Details
- CWE(s)