{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-22253", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2026-01-07T05:19:12.921Z", "datePublished": "2026-01-08T18:39:57.714Z", "dateUpdated": "2026-01-08T18:51:14.716Z"}, "containers": {"cna": {"title": "Soft Serve is missing an authorization check in LFS lock deletion", "problemTypes": [{"descriptions": [{"cweId": "CWE-863", "lang": "en", "description": "CWE-863: Incorrect Authorization", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "LOW", "baseScore": 5.4, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "LOW", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:L", "version": "3.1"}}], "references": [{"name": "https://github.com/charmbracelet/soft-serve/security/advisories/GHSA-6jm8-x3g6-r33j", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/charmbracelet/soft-serve/security/advisories/GHSA-6jm8-x3g6-r33j"}, {"name": "https://github.com/charmbracelet/soft-serve/commit/000ab5164f0be68cf1ea6b6e7227f11c0e388a42", "tags": ["x_refsource_MISC"], "url": "https://github.com/charmbracelet/soft-serve/commit/000ab5164f0be68cf1ea6b6e7227f11c0e388a42"}], "affected": [{"vendor": "charmbracelet", "product": "soft-serve", "versions": [{"version": "< 0.11.2", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-01-08T18:39:57.714Z"}, "descriptions": [{"lang": "en", "value": "Soft Serve is a self-hostable Git server for the command line. Prior to version 0.11.2, an authorization bypass in the LFS lock deletion endpoint allows any authenticated user with repository write access to delete locks owned by other users by setting the force flag. The vulnerable code path processes force deletions before retrieving user context, bypassing ownership validation entirely. This issue has been patched in version 0.11.2."}], "source": {"advisory": "GHSA-6jm8-x3g6-r33j", "discovery": "UNKNOWN"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-01-08T18:51:06.311629Z", "id": "CVE-2026-22253", "options": [{"Exploitation": "poc"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-01-08T18:51:14.716Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-22253", "role": "CISA Coordinator", "options": [{"Exploitation": "poc"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-01-08T18:51:06.311629Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-01-08T18:51:11.900Z"}}], "cna": {"title": "Soft Serve is missing an authorization check in LFS lock deletion", "source": {"advisory": "GHSA-6jm8-x3g6-r33j", "discovery": "UNKNOWN"}, "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 5.4, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:L", "integrityImpact": "LOW", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "LOW", "privilegesRequired": "LOW", "confidentialityImpact": "NONE"}}], "affected": [{"vendor": "charmbracelet", "product": "soft-serve", "versions": [{"status": "affected", "version": "< 0.11.2"}]}], "references": [{"url": "https://github.com/charmbracelet/soft-serve/security/advisories/GHSA-6jm8-x3g6-r33j", "name": "https://github.com/charmbracelet/soft-serve/security/advisories/GHSA-6jm8-x3g6-r33j", "tags": ["x_refsource_CONFIRM"]}, {"url": "https://github.com/charmbracelet/soft-serve/commit/000ab5164f0be68cf1ea6b6e7227f11c0e388a42", "name": "https://github.com/charmbracelet/soft-serve/commit/000ab5164f0be68cf1ea6b6e7227f11c0e388a42", "tags": ["x_refsource_MISC"]}], "descriptions": [{"lang": "en", "value": "Soft Serve is a self-hostable Git server for the command line. Prior to version 0.11.2, an authorization bypass in the LFS lock deletion endpoint allows any authenticated user with repository write access to delete locks owned by other users by setting the force flag. The vulnerable code path processes force deletions before retrieving user context, bypassing ownership validation entirely. This issue has been patched in version 0.11.2."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-863", "description": "CWE-863: Incorrect Authorization"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-01-08T18:39:57.714Z"}}}, "cveMetadata": {"cveId": "CVE-2026-22253", "state": "PUBLISHED", "dateUpdated": "2026-01-08T18:51:14.716Z", "dateReserved": "2026-01-07T05:19:12.921Z", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "datePublished": "2026-01-08T18:39:57.714Z", "assignerShortName": "GitHub_M"}, "dataVersion": "5.2"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:charm:soft_serve:*:*:*:*:*:go:*:*", "matchCriteriaId": "4E11AA52-59BD-42E8-AF0F-EF9490942F6C", "versionEndExcluding": "0.11.2", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "Soft Serve is a self-hostable Git server for the command line. Prior to version 0.11.2, an authorization bypass in the LFS lock deletion endpoint allows any authenticated user with repository write access to delete locks owned by other users by setting the force flag. The vulnerable code path processes force deletions before retrieving user context, bypassing ownership validation entirely. This issue has been patched in version 0.11.2."}], "id": "CVE-2026-22253", "lastModified": "2026-02-02T17:09:22.447", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "LOW", "baseScore": 5.4, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "LOW", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:L", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 2.5, "source": "security-advisories@github.com", "type": "Secondary"}, {"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "LOW", "baseScore": 5.4, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "LOW", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:L", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 2.5, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2026-01-08T19:15:59.950", "references": [{"source": "security-advisories@github.com", "tags": ["Patch"], "url": "https://github.com/charmbracelet/soft-serve/commit/000ab5164f0be68cf1ea6b6e7227f11c0e388a42"}, {"source": "security-advisories@github.com", "tags": ["Exploit", "Vendor Advisory"], "url": "https://github.com/charmbracelet/soft-serve/security/advisories/GHSA-6jm8-x3g6-r33j"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-863"}], "source": "security-advisories@github.com", "type": "Primary"}]}

{}

{"analysis": {"en": {"generated_at": "2026-04-18T07:32:18.417221+00:00", "value": {"mitigation_remediation": ["Upgrade to Soft Serve version 0.11.2 or later, which patch the bypass", "Restrict repository write permissions to trusted users or collaborators only, limiting who can request lock deletions", "Monitor LFS lock deletion activity and review logs for unauthorized use of the force flag"], "summary": {"action": "Immediate Patch", "impact": "Authorization bypass allows deletion of LFS locks owned by other users"}, "threat_synthesis": {"affected_systems": "The vulnerability impacts the Soft Serve project maintained by charmbracelet. Versions prior to 0.11.2 are affected; the issue has been resolved in version 0.11.2 and later.", "description_and_impact": "A flaw in Soft Serve\u2019s LFS lock deletion endpoint permits any authenticated user with write access to a repository to delete locks belonging to other users by supplying the force flag. The code processes force deletions before verifying the user context, so ownership checks are bypassed entirely, enabling unauthorized removal of LFS locks without any additional privileges beyond repository write access.", "risk_and_exploitability": "The CVSS score is 5.4, indicating moderate severity. The EPSS score is below 1%, suggesting a very low probability of exploitation at the time of analysis, and the vulnerability is not listed in the CISA KEV catalog. Attackers must first authenticate to the instance and possess repository write permissions, then request a force deletion of a lock. If those conditions are met, the attacker can delete any LFS lock owned by another user without any additional checks."}}}}, "created": "2026-01-09T13:24:12.978035+00:00", "updated": "2026-04-18T07:45:24.972129+00:00", "vendors": ["charmbracelet", "charmbracelet$PRODUCT$soft-serve"]}