Platform
go
Component
github.com/charmbracelet/soft-serve
Fixed in
0.6.1
0.11.4
CVE-2026-30832 describes a Server-Side Request Forgery (SSRF) vulnerability discovered in soft-serve, a Go library developed by charmbracelet. This vulnerability allows attackers to potentially access internal resources by manipulating the LFS endpoint during repository imports. The vulnerability impacts versions 0.11.3 and earlier. A fix is available in version 0.11.4.
The SSRF vulnerability in soft-serve arises from insufficient validation of the LFS endpoint during repository import operations. An attacker could craft a malicious repository import request that directs soft-serve to make requests to arbitrary internal or external URLs. This could lead to unauthorized access to sensitive data, internal services, or even allow an attacker to interact with internal systems as if they were the soft-serve process. The potential blast radius extends to any internal resources accessible from the server running soft-serve, making it a critical security concern.
CVE-2026-30832 was publicly disclosed on 2026-03-10. The vulnerability's severity is rated as CRITICAL (CVSS 9.1). There are currently no known public exploits or active campaigns targeting this vulnerability, but the SSRF nature makes it a high-priority concern. It is not currently listed on the CISA KEV catalog.
Exploit Status
EPSS
0.02% (5% percentile)
CISA SSVC
CVSS Vector
The primary mitigation for CVE-2026-30832 is to upgrade to version 0.11.4 or later of the soft-serve library. If upgrading immediately is not feasible, consider implementing input validation on the LFS endpoint to restrict the URLs that soft-serve can access. This could involve whitelisting allowed domains or implementing stricter URL parsing rules. Additionally, consider using a Web Application Firewall (WAF) to filter out malicious requests targeting the LFS endpoint. After upgrading, confirm the fix by attempting a repository import with a known malicious LFS URL and verifying that the request is blocked or fails appropriately.
Update Soft Serve to version 0.11.4 or higher. This version fixes the SSRF vulnerability by properly validating the LFS endpoint during repository import.
Vulnerability analysis and critical alerts directly to your inbox.
CVE-2026-30832 is a critical SSRF vulnerability in the soft-serve Go library, allowing attackers to potentially access internal resources through manipulated repository imports.
If you are using soft-serve version 0.11.3 or earlier, you are vulnerable. Check your project dependencies to determine if you are using the library.
Upgrade to version 0.11.4 or later of the soft-serve library. If immediate upgrade is not possible, implement input validation on the LFS endpoint.
As of now, there are no known public exploits or active campaigns targeting this vulnerability, but the SSRF nature warrants immediate attention.
Refer to the charmbracelet project's repository and release notes for the official advisory and details about the fix: [https://github.com/charmbracelet/soft-serve](https://github.com/charmbracelet/soft-serve)
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.
Upload your go.mod file and we'll tell you instantly if you're affected.