Description

Soft Serve is a self-hostable Git server for the command line. From version 0.6.0 to before version 0.11.4, an authenticated SSH user can force the server to make HTTP requests to internal/private IP addresses by running repo import with a crafted --lfs-endpoint URL. The initial batch request is blind (the response from a metadata endpoint won't parse as valid LFS JSON), but an attacker hosting a fake LFS server can chain this into full read access to internal services by returning download URLs that point at internal targets. This issue has been patched in version 0.11.4.

INFO

Published Date :

2026-03-07T15:57:39.158Z

Last Modified :

2026-03-09T18:26:21.312Z

Source :

GitHub_M
AFFECTED PRODUCTS

The following products are affected by CVE-2026-30832 vulnerability.

Vendors Products
Charm
  • Soft Serve
Charmbracelet
  • Soft-serve
REFERENCES

Here, you will find a curated list of external links that provide in-depth information to CVE-2026-30832.

URL Resource
https://github.com/charmbracelet/soft-serve/commit/3ef660098ab37a7950457da8ecc25b516e37ce4e cve-icon cve-icon
https://github.com/charmbracelet/soft-serve/releases/tag/v0.11.4 cve-icon cve-icon
https://github.com/charmbracelet/soft-serve/security/advisories/GHSA-3fvx-xrxq-8jvv cve-icon cve-icon
Login to claim this CVE

CVSS Vulnerability Scoring System

Detailed values of each vector for above chart.
Attack Vector
Attack Complexity
Privileges Required
User Interaction
Scope
Confidentiality Impact
Integrity Impact
Availability Impact