Juancabe

**Name of the Vulnerable Software and Affected Versions** Soft Serve versions 0.11.2 and below **Description** Soft Serve, a self-hostable Git server, contains a critical flaw that allows an attacker to impersonate any user, including administrators. This is achieved by presenting the victim's public key during the SSH handshake before authenticating with a valid key. The user identity is retained in the session context even if the authentication attempt fails, enabling the impersonation. **Recommendations** Update to version 0.11.3 or later.