CVE-2026-24058 Overview
CVE-2026-24058 is a critical authentication bypass vulnerability in Soft Serve, a self-hostable Git server for the command line. Versions 0.11.2 and below are affected by this flaw which allows an attacker to impersonate any user, including administrators, by exploiting a session context issue during SSH key authentication. The vulnerability occurs because user identity is stored in the session context during the "offer" phase of SSH authentication and is not properly cleared if that specific authentication attempt fails.
Critical Impact
Attackers can impersonate any user including administrators by offering the victim's public key during SSH handshake before authenticating with their own valid key, leading to complete authentication bypass.
Affected Products
- Soft Serve versions 0.11.2 and below
- Self-hosted Git server deployments using vulnerable Soft Serve versions
Discovery Timeline
- 2026-01-22 - CVE-2026-24058 published to NVD
- 2026-01-22 - Last updated in NVD database
Technical Details for CVE-2026-24058
Vulnerability Analysis
This vulnerability falls under CWE-289: Authentication Bypass by Alternate Name. The flaw resides in Soft Serve's SSH authentication handling mechanism, specifically in how the server manages user identity during the multi-phase SSH handshake process. The issue allows an attacker with any valid SSH key to authenticate as any other user whose public key is known, effectively bypassing the authentication system entirely.
The vulnerability exploits a fundamental flaw in session state management during SSH authentication. When an SSH client "offers" a public key to check if the server would accept it for authentication, Soft Serve prematurely stores the associated user identity in the session context. This is intended to streamline the authentication process, but critically, this stored identity is not cleared when that particular key's authentication attempt fails or is abandoned.
Root Cause
The root cause lies in improper session state management during the SSH authentication process. When a client offers a public key during the SSH handshake, the server stores the user identity associated with that key in the session context. However, if the client subsequently authenticates using a different key (their own valid key), the session retains the previously stored user identity from the "offer" phase rather than updating it to reflect the actual authenticated user. This creates a disconnect between the cryptographic identity used for authentication and the user identity stored in the application session.
Attack Vector
The attack vector is network-based and requires the following conditions:
- The attacker must know or obtain the public SSH key of the victim they wish to impersonate (public keys are often easily discoverable on platforms like GitHub, GitLab, or personal websites)
- The attacker must have their own valid SSH key registered with the Soft Serve instance
- The attacker initiates an SSH connection and "offers" the victim's public key first
- Without completing authentication with the victim's key, the attacker then authenticates using their own valid private key
- The session context retains the victim's identity from the offer phase, granting the attacker access as the impersonated user
This attack is particularly dangerous because public SSH keys are designed to be shared and are commonly published openly. An attacker could trivially impersonate administrators if their public keys are known.
Detection Methods for CVE-2026-24058
Indicators of Compromise
- SSH authentication logs showing multiple key offers in a single session before final authentication
- User activity logs indicating actions performed by users who were not actually online at the time
- Repository access or modifications attributed to users who deny performing those actions
- Administrative operations performed by non-administrative accounts that somehow gained elevated privileges
Detection Strategies
- Monitor SSH server logs for sessions that offer multiple different public keys before successful authentication
- Implement correlation between SSH key authentication events and subsequent user actions to detect identity mismatches
- Review access logs for anomalous administrative actions or repository changes
- Deploy network monitoring to identify unusual SSH connection patterns targeting your Soft Serve instance
Monitoring Recommendations
- Enable verbose SSH logging to capture the full authentication handshake including key offers
- Implement audit logging for all Git operations with the authenticated user identity and the SSH key used
- Set up alerts for any session where the offered key differs from the successfully authenticated key
- Monitor for repository access patterns that deviate from normal user behavior
How to Mitigate CVE-2026-24058
Immediate Actions Required
- Upgrade Soft Serve to version 0.11.3 or later immediately
- Audit recent user activity logs for potential signs of impersonation attacks
- Review administrative actions taken in the vulnerable period for unauthorized changes
- Consider temporarily restricting external access to the Soft Serve instance until the patch is applied
Patch Information
The vulnerability has been fixed in Soft Serve version 0.11.3. The fix ensures that user identity stored during the SSH key "offer" phase is properly cleared if that authentication attempt does not complete successfully, preventing identity persistence across authentication phases.
For detailed information about the fix, refer to:
Workarounds
- If immediate upgrade is not possible, restrict network access to the Soft Serve instance to trusted IP ranges only
- Implement additional authentication layers such as VPN requirements for accessing the Git server
- Disable SSH access temporarily and use alternative access methods if available until patching is complete
- Monitor authentication logs closely for any signs of exploitation attempts
# Upgrade Soft Serve to patched version
# Using Go install:
go install github.com/charmbracelet/soft-serve/cmd/soft@v0.11.3
# Or download the latest release from GitHub
# https://github.com/charmbracelet/soft-serve/releases/tag/v0.11.3
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
