Cyber Resilience

CVE-2026-24058

High

Published: 22 January 2026

Published
22 January 2026
Modified
18 February 2026
KEV Added
Patch
CVSS Score v4 8.1 CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
EPSS Score 0.0053 40.8th percentile
Risk Priority 55 floored blend · peak EPSS

Summary

CVE-2026-24058 is a high-severity Authentication Bypass by Alternate Name (CWE-289) vulnerability in Charm Soft Serve. Its CVSS base score is 8.1 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 40.8th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 AU-12 (Audit Record Generation) and AU-3 (Content of Audit Records).

Deeper analysis

Soft Serve, a self-hostable Git server designed for command-line use, contains a critical authentication bypass vulnerability in versions 0.11.2 and prior, tracked as CVE-2026-24058. The flaw arises during the SSH handshake, where an attacker can offer a victim's public key before authenticating with their own valid key. This causes the victim's user identity to be stored in the session context during the "offer" phase and not cleared upon failure of that specific authentication attempt, enabling impersonation of any user, including administrators. The vulnerability is rated 9.8 on the CVSS 3.1 scale (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H) and maps to CWE-289 (Authentication Bypass by Alternate Name).

Any unauthenticated attacker with network access to the Soft Serve instance can exploit this vulnerability remotely with low complexity and no privileges required. By initiating an SSH connection, offering a target user's public key (which could be obtained from public sources), and then proceeding with their own successful authentication, the attacker inherits the offered user's identity for the session. This grants full impersonation capabilities, allowing read/write access to repositories, administrative actions, and potential compromise of the entire Git server depending on the victim's privileges.

The issue has been addressed in Soft Serve version 0.11.3, as detailed in the project's security advisory (GHSA-pchf-49fh-w34r), release notes, and the fixing commit (8539f9ad39918b67d612a35785a2b4326efc8741). Security practitioners should immediately upgrade to v0.11.3 or later and audit SSH access logs for suspicious handshake patterns involving mismatched keys.

OWASP Top 10 for Web (2025)

EU & UK References

Vulnerability details

Soft Serve is a self-hostable Git server for the command line. Versions 0.11.2 and below have a critical authentication bypass vulnerability that allows an attacker to impersonate any user (including admin) by "offering" the victim's public key during the SSH…

more

handshake before authenticating with their own valid key. This occurs because the user identity is stored in the session context during the "offer" phase and is not cleared if that specific authentication attempt fails. This issue has been fixed in version 0.11.3.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
T1133 External Remote Services Persistence
Adversaries may leverage external-facing remote services to initially access and/or persist within a network.
T1078 Valid Accounts Stealth
Adversaries may obtain and abuse credentials of existing accounts as a means of gaining Initial Access, Persistence, Privilege Escalation, or Defense Evasion.
Why these techniques?

The vulnerability is a remote authentication bypass in a public-facing SSH-based Git server, directly enabling exploitation of external remote services (T1133) and public-facing applications (T1190) to impersonate valid user accounts (T1078) for unauthorized access and admin actions.

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

CVEs Like This One

CVE-2026-30832Same product: Charm Soft Serve
CVE-2025-22130Same product: Charm Soft Serve
CVE-2026-41589Same vendor: Charm
CVE-2024-56511Shared CWE-289
CVE-2025-13613Shared CWE-289
CVE-2024-11283Shared CWE-289
CVE-2025-29266Shared CWE-289
CVE-2025-55130Shared CWE-289
CVE-2026-32036Shared CWE-289

Affected Assets

charm
soft serve
≤ 0.11.3

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Requires timely remediation of software flaws like the Soft Serve SSH authentication bypass in CVE-2026-24058 by applying patches such as version 0.11.3.

detect

Mandates generation of audit records for authentication events, capturing SSH handshake details to detect victim key offers followed by attacker authentication.

detect

Ensures audit records contain detailed content on user identity, authentication mechanism, and outcome to identify mismatched keys in SSH sessions indicative of exploitation.

References