CVE-2026-30832
CRITICALSoft Serve 0.6.0-0.11.3 - SSRF
Title source: llmDescription
Soft Serve is a self-hostable Git server for the command line. From version 0.6.0 to before version 0.11.4, an authenticated SSH user can force the server to make HTTP requests to internal/private IP addresses by running repo import with a crafted --lfs-endpoint URL. The initial batch request is blind (the response from a metadata endpoint won't parse as valid LFS JSON), but an attacker hosting a fake LFS server can chain this into full read access to internal services by returning download URLs that point at internal targets. This issue has been patched in version 0.11.4.
Scores
CVSS v3
9.1
EPSS
0.0004
EPSS Percentile
10.3%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:L/A:L
Classification
CWE
CWE-918
Status
draft
Affected Products (1)
charmbracelet/soft-serve
< 0.11.4Go
Timeline
Published
Mar 07, 2026
Tracked Since
Mar 07, 2026