Home / Vulnerability Intelligence / CVE-2026-33353

CVE-2026-33353 - Vulnerability Analysis

MediumCVSS: 6.5

Last Updated: March 25, 2026

Soft Serve - Broken Access Control

Published: March 24, 2026Updated: March 25, 2026PoC AvailableRemote Exploitable

Overview

Soft Serve 0.6.0 to < 0.11.6 contains an authorization flaw in repo import, letting any authenticated SSH user clone another user's private repository, exploit requires SSH authentication.

Severity & Score

Severity: Medium

CVSS Score: 6.5

Impact

Authenticated SSH users can clone private repositories of other users, leading to unauthorized data disclosure.

Mitigation

Upgrade to version 0.11.6 or later.

References

https://github.com/charmbracelet/soft-serve/releases/tag/v0.11.6
https://github.com/charmbracelet/soft-serve/security/advisories/GHSA-xgxp-f695-6vrp
https://github.com/charmbracelet/soft-serve/commit/c147421caf234bcfc1570c79d728ecbbe5813e55

Related Resources

Vulnerability Intelligence Dashboard
Credential Scanner

Details

CVE ID: CVE-2026-33353
Severity: Medium
CVSS Score: 6.5
Type: broken_access_control
Status: confirmed

CWE

CWE-200

CVSS Metrics

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N