CVE-2026-33353

Name of the Vulnerable Software and Affected Versions Soft Serve versions prior to 0.11.6

Description An authorization flaw exists in the repo import functionality, allowing any authenticated SSH user to clone server-local Git repositories, including private repositories belonging to other users, into new repositories they control. This bypasses the intended confidentiality boundaries for private repositories. The issue stems from insufficient validation of the source remote during the import process. Specifically, the authorization check only verifies the destination repository name, not the source remote. The vulnerable code flow involves the pkg/ssh/cmd/import.go, pkg/ssh/cmd/cmd.go, pkg/backend/user.go, and pkg/backend/repo.go files. The git.Clone() function is called without verifying that the remote parameter is a network remote, enabling an attacker to supply a server filesystem path. This allows unauthorized access to and duplication of private repositories.

Recommendations Upgrade to version 0.11.6 or later to address this issue.