The vulnerability CVE-2026-30832 affects charmbracelet's soft-serve, a self-hosted Git server designed for command-line use. Versions from 0.6.0 to before 0.11.4 contain a Server-Side Request Forgery (SSRF) flaw categorized under CWE-918. An attacker with authenticated SSH access can exploit this by invoking the repo import command with a maliciously crafted --lfs-endpoint URL. This causes the server to make HTTP requests to internal or private IP addresses, which are normally inaccessible externally. Initially, the SSRF is blind because the metadata endpoint's response does not parse as valid LFS JSON. However, if the attacker controls a fake LFS server, they can manipulate the server to follow download URLs that point to internal services, effectively granting read access to sensitive internal resources. This chained SSRF attack can lead to significant data exposure and potential lateral movement within the network. The vulnerability requires authentication but no user interaction beyond the crafted command. It affects confidentiality (high impact), integrity (limited), and availability (limited), with a CVSS 3.1 score of 9.1 (AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:L/A:L). The flaw was publicly disclosed and patched in version 0.11.4, and no known exploits in the wild have been reported yet.

This vulnerability poses a critical risk to organizations using affected versions of soft-serve. An authenticated attacker can leverage SSRF to access internal services that are otherwise protected by network segmentation or firewalls, potentially exposing sensitive data, internal APIs, or administrative interfaces. This can lead to data breaches, unauthorized information disclosure, and facilitate further attacks such as lateral movement or privilege escalation within the internal network. The ability to chain the SSRF to gain full read access to internal services significantly increases the attack surface. Since soft-serve is used for Git repository management, compromise could also affect source code confidentiality and integrity, impacting software supply chain security. The requirement for SSH authentication limits exposure to insiders or compromised accounts but does not eliminate risk, especially in environments with many users or weak credential management. The vulnerability's critical severity and ease of exploitation underline the urgency for remediation to prevent potential exploitation and data loss.

Organizations should immediately upgrade soft-serve to version 0.11.4 or later, where this vulnerability is patched. Until upgrade is possible, restrict SSH access to trusted users only and enforce strong authentication mechanisms such as multi-factor authentication to reduce the risk of account compromise. Monitor and audit SSH user activities for unusual repo import commands or suspicious --lfs-endpoint usage. Network segmentation should be reviewed to limit the server's ability to make outbound HTTP requests to internal IP ranges, possibly by implementing egress filtering or firewall rules that restrict HTTP traffic from the soft-serve host to internal services. Additionally, consider deploying web application firewalls or intrusion detection systems capable of detecting anomalous SSRF patterns. Regularly review and rotate credentials and SSH keys to minimize the risk of unauthorized access. Finally, educate developers and administrators about the risks of SSRF and the importance of timely patching.