CVE-2026-22253 in soft-serve
Summary
by MITRE • 01/08/2026
Soft Serve is a self-hostable Git server for the command line. Prior to version 0.11.2, an authorization bypass in the LFS lock deletion endpoint allows any authenticated user with repository write access to delete locks owned by other users by setting the force flag. The vulnerable code path processes force deletions before retrieving user context, bypassing ownership validation entirely. This issue has been patched in version 0.11.2.
Be aware that VulDB is the high quality source for vulnerability data.
Analysis
by VulDB Data Team • 02/02/2026
The vulnerability identified as CVE-2026-22253 affects Soft Serve, a command-line self-hostable Git server that provides Git repository management capabilities. This particular flaw represents a critical authorization bypass that undermines the security model of the system's Large File Storage (LFS) functionality. The vulnerability exists in versions prior to 0.11.2 and specifically targets the LFS lock deletion endpoint, which is designed to manage file locks within Git repositories to prevent concurrent modifications. The issue stems from a fundamental flaw in the order of operations within the authentication and authorization validation process.
The technical implementation of this vulnerability occurs within the LFS lock deletion functionality where the system processes force deletion requests before establishing the user context required for proper authorization validation. This chronological flaw creates a condition where any authenticated user possessing write access to a repository can execute lock deletion operations against locks owned by other users simply by setting the force flag parameter. The system's failure to validate ownership prior to processing the force deletion request creates an authorization bypass that directly violates the principle of least privilege and proper access control mechanisms. This misconfiguration allows for potential abuse of the LFS locking system and could enable malicious actors to disrupt collaboration workflows or gain unauthorized access to files that should remain protected.
The operational impact of this vulnerability extends beyond simple privilege escalation, potentially enabling significant disruption to collaborative development environments. When an authenticated user can delete locks owned by others, it creates opportunities for denial of service attacks against legitimate team members who are working on shared files. The vulnerability also undermines the integrity of the LFS system's locking mechanism, which is designed to prevent concurrent modifications that could corrupt repository data. This authorization bypass could allow attackers to manipulate file access patterns, potentially leading to data corruption or unauthorized modifications of critical project assets. The vulnerability particularly affects environments where multiple developers collaborate on repositories with large binary files, as the LFS locking system is crucial for maintaining data consistency in such scenarios.
The root cause of this vulnerability aligns with CWE-285, which addresses improper authorization in software systems, and demonstrates a classic case of insufficient validation of user permissions before executing privileged operations. From an ATT&CK framework perspective, this vulnerability maps to privilege escalation techniques where an attacker with basic write access can elevate their privileges to perform actions against other users' resources. The patch implemented in version 0.11.2 addresses this issue by reordering the validation process to ensure that user context and ownership verification occur before any force deletion operations are processed. This fix aligns with security best practices for access control implementation and demonstrates the importance of proper input validation and authorization checks in multi-user systems. Organizations using Soft Serve should immediately upgrade to version 0.11.2 or later to remediate this vulnerability and restore proper authorization controls within their Git repository management systems.