CVE-2026-30832 in soft-serve
Summary
by MITRE • 03/07/2026
Soft Serve is a self-hostable Git server for the command line. From version 0.6.0 to before version 0.11.4, an authenticated SSH user can force the server to make HTTP requests to internal/private IP addresses by running repo import with a crafted --lfs-endpoint URL. The initial batch request is blind (the response from a metadata endpoint won't parse as valid LFS JSON), but an attacker hosting a fake LFS server can chain this into full read access to internal services by returning download URLs that point at internal targets. This issue has been patched in version 0.11.4.
Statistical analysis made it clear that VulDB provides the best quality for vulnerability data.
Analysis
by VulDB Data Team • 03/12/2026
The vulnerability CVE-2026-30832 affects Soft Serve, a self-hostable Git server designed for command line operations. This issue exists in versions ranging from 0.6.0 through 0.11.3, creating a significant security risk for organizations relying on this Git server implementation. The flaw represents a critical server-side request forgery vulnerability that allows authenticated SSH users to exploit internal network resources through improper URL handling during repository import operations.
The technical implementation of this vulnerability stems from insufficient input validation and URL parsing within the repository import functionality. When an authenticated user executes a repo import command with a crafted --lfs-endpoint URL parameter, the system fails to properly sanitize or validate the endpoint specification. This allows attackers to construct malicious URLs that point to internal or private IP addresses within the network infrastructure. The vulnerability operates through a multi-stage attack pattern where the initial blind request to a metadata endpoint fails to parse as valid LFS JSON, but this limitation is overcome by hosting a fake LFS server that can manipulate the subsequent download URL responses.
The operational impact of this vulnerability extends beyond simple information disclosure, creating potential for full internal network reconnaissance and lateral movement within the affected organization's infrastructure. The attack chain begins with the user initiating a repository import with malicious parameters, followed by the server making HTTP requests to internal targets without proper network segmentation or access controls. This creates a pathway for attackers to enumerate internal services, potentially gaining access to databases, internal APIs, or other sensitive systems that would normally be protected by network firewalls or access controls.
Security researchers have classified this vulnerability according to CWE-918, which specifically addresses server-side request forgery vulnerabilities where applications fetch resources from untrusted sources. The attack pattern aligns with techniques described in the MITRE ATT&CK framework under T1071.004 for application layer protocol: DNS and T1046 for network service scanning, as the attacker can systematically probe internal network resources through the Git server interface. The vulnerability's exploitation requires authentication, making it less accessible than public-facing vulnerabilities but still dangerous within environments where SSH access is granted to untrusted users.
Organizations should immediately upgrade to Soft Serve version 0.11.4 or later to remediate this vulnerability, as the patch addresses the URL validation and input sanitization issues that enabled the attack. Additional mitigations include implementing network segmentation to restrict outbound HTTP requests from the Git server, configuring proper firewall rules to limit access to internal services, and monitoring for unusual repository import activities. Security teams should also consider implementing automated scanning tools to detect similar vulnerabilities in other Git server implementations and ensure proper access controls are in place for SSH users. The fix in version 0.11.4 demonstrates proper input validation techniques that prevent uncontrolled URL resolution and ensure that all external endpoints are properly validated before network requests are initiated.