CVE-2026-33353 is an authorization vulnerability classified under CWE-200 (Exposure of Sensitive Information) and CWE-862 (Missing Authorization) affecting charmbracelet's Soft Serve, a self-hosted Git server designed for command-line use. The flaw exists in versions 0.6.0 through 0.11.5, where the repository import functionality fails to properly verify whether an authenticated SSH user has permission to clone a given local repository. As a result, any user with SSH authentication to the server can clone repositories owned by other users, including private repositories, into new repositories they control. This unauthorized cloning exposes sensitive source code and potentially proprietary information to attackers with valid SSH credentials. The vulnerability does not require elevated privileges beyond SSH authentication, nor does it require user interaction, making exploitation straightforward for insiders or attackers who have gained SSH access. The issue was addressed and patched in version 0.11.6 by implementing proper authorization checks during repository import operations. The CVSS v4.0 base score is 7.1, reflecting a high severity due to network attack vector, low attack complexity, no privileges required beyond authentication, and a high impact on confidentiality. There is no known exploitation in the wild as of the publication date. The vulnerability highlights the critical importance of enforcing strict access controls in multi-user Git server environments to prevent unauthorized data exposure.

The primary impact of CVE-2026-33353 is the unauthorized disclosure of sensitive source code and intellectual property stored in private Git repositories hosted on Soft Serve instances. Organizations relying on Soft Serve for internal or external code hosting risk significant confidentiality breaches if attackers or malicious insiders with SSH access exploit this flaw. Such exposure can lead to intellectual property theft, leakage of proprietary algorithms, and potential downstream security risks if sensitive credentials or configuration files are included in repositories. While the vulnerability does not affect data integrity or availability, the confidentiality breach alone can have severe business and reputational consequences. The ease of exploitation by any authenticated SSH user increases the risk, especially in environments where SSH access is broadly granted or insufficiently monitored. This vulnerability is particularly critical for organizations with sensitive or regulated codebases, including software vendors, financial institutions, and government agencies. Failure to patch promptly could facilitate insider threats or lateral movement by attackers who have compromised SSH credentials.

To mitigate CVE-2026-33353, organizations should immediately upgrade all Soft Serve instances to version 0.11.6 or later, where the authorization flaw has been fixed. Until upgrades can be applied, restrict SSH access to trusted users only and implement strict SSH key management policies to minimize the risk of credential compromise. Employ network segmentation and firewall rules to limit access to Soft Serve servers. Enable detailed logging and monitoring of Git repository access and cloning activities to detect anomalous behavior indicative of exploitation attempts. Consider deploying additional access control layers such as SSH bastion hosts or multi-factor authentication for SSH sessions. Regularly audit repository permissions and user access rights to ensure least privilege principles are enforced. For organizations unable to upgrade immediately, temporarily disabling repository import functionality or restricting it to administrators can reduce exposure. Finally, conduct security awareness training for administrators and users about the risks of unauthorized repository access and the importance of securing SSH credentials.