What is CVE-2026-22253?

CVE-2026-22253 is a medium-severity vulnerability in Charmbracelet Soft-serve, classified under Incorrect Authorization. CVSS score: 5.4/10. Published 2026-01-08.

How severe is CVE-2026-22253?

Medium severity. CVSS v3 base score is 5.4 out of 10.

Auth bypass in Charmbracelet Soft-serve

CVE-2026-22253

Soft Serve is a self-hostable Git server for the command line. Prior to version 0.11.2, an authorization bypass in the LFS lock deletion endpoint allows any authenticated user with repository write access to delete locks owned by other use…

Vulnerability class: Broken Access Control

EPSS: 0.000 (6.7th percentile) — read the EPSS interpretation.

CVSS v3 metric

CVSS v3 base score 5.4 (Medium). Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:L.

Affected products

Charmbracelet Soft-serve — versions < 0.11.2

Weakness classification (CWE)

CWE-863 — Incorrect Authorization

References

https://github.com/charmbracelet/soft-serve/security/advisories/GHSA-6jm8-x3g6-r33j (x_refsource_CONFIRM)
https://github.com/charmbracelet/soft-serve/commit/000ab5164f0be68cf1ea6b6e7227f11c0e388a42 (x_refsource_MISC)

Frequently asked questions

What is CVE-2026-22253?: CVE-2026-22253 is a medium-severity vulnerability in Charmbracelet Soft-serve, classified under Incorrect Authorization. CVSS score: 5.4/10. Published 2026-01-08.
How severe is CVE-2026-22253?: Medium severity. CVSS v3 base score is 5.4 out of 10.