CVE-2026-33353 is a vulnerability identified in charmbracelet's Soft Serve, a self-hosted Git server designed for command-line use. The affected versions range from 0.6.0 up to but not including 0.11.6. The core issue is an authorization flaw in the repository import mechanism. Specifically, any authenticated user connecting via SSH can exploit this flaw to clone any server-local Git repository, including private repositories owned by other users, into a new repository they control. This bypasses intended access controls and exposes sensitive source code and potentially confidential data to unauthorized users. The vulnerability stems from improper enforcement of authorization checks during the import process, categorized under CWE-200 (Exposure of Sensitive Information) and CWE-862 (Missing Authorization). The vulnerability does not require elevated privileges beyond authenticated SSH access and does not require user interaction, making it relatively easy to exploit within affected environments. The flaw was publicly disclosed and assigned CVE-2026-33353 with a CVSS 4.0 base score of 7.1, indicating high severity. The vulnerability was patched in Soft Serve version 0.11.6, which properly enforces authorization checks to prevent unauthorized repository cloning. No known exploits have been reported in the wild as of the publication date. The vulnerability primarily impacts organizations that self-host Soft Serve for Git repository management, especially those with multiple users and private repositories.

The primary impact of CVE-2026-33353 is unauthorized disclosure of sensitive source code and intellectual property. Attackers with authenticated SSH access can clone private repositories belonging to other users, leading to potential data breaches, loss of competitive advantage, and exposure of confidential development information. This can also facilitate further attacks such as code tampering, insertion of malicious code, or leakage of credentials and secrets stored in repositories. The flaw undermines trust in the integrity and confidentiality of the development environment. Organizations relying on Soft Serve for internal or external code hosting may face compliance violations if sensitive data is exposed. The ease of exploitation without elevated privileges or user interaction increases the risk of insider threats or compromised user accounts being leveraged. Although no active exploits are known, the vulnerability presents a significant risk to software development workflows and intellectual property protection worldwide.

The most effective mitigation is to upgrade all Soft Serve instances to version 0.11.6 or later, where the authorization flaw has been fixed. Until upgrade is possible, organizations should restrict SSH access to trusted users only and monitor repository cloning activities for anomalies. Implementing strict access controls and auditing on the server can help detect unauthorized repository imports. Additionally, consider isolating sensitive repositories or using alternative Git hosting solutions with robust access controls. Regularly review user permissions and SSH key management to minimize the risk of compromised credentials. Employ network segmentation to limit access to the Git server and enable logging and alerting on repository access events. Finally, educate users about the importance of safeguarding their SSH credentials to prevent unauthorized access.