CVE-2026-24058

Name of the Vulnerable Software and Affected Versions Soft Serve versions 0.11.2 and below

Description Soft Serve, a self-hostable Git server, contains a critical flaw that allows an attacker to impersonate any user, including administrators. This is achieved by presenting the victim's public key during the SSH handshake before authenticating with a valid key. The user identity is retained in the session context even if the authentication attempt fails, enabling the impersonation.

Recommendations Update to version 0.11.3 or later.