Soft Serve, Hard Fail: The Context Pollution Authentication Bypass
Jan 21, 2026·6 min read·12 visits
Executive Summary (TL;DR)
Soft Serve versions prior to v0.11.3 contain a CVSS 10.0 critical vulnerability. The application eagerly resolves and stores user identities during the SSH public key 'query' phase (before a cryptographic signature is verified). By offering an admin's public key and then switching to their own valid key, an attacker can trick the server into treating the session as an administrator session. Update to v0.11.3 immediately.
A critical state management logic error in Soft Serve's SSH handling allows unauthenticated attackers to impersonate administrators simply by knowing the administrator's public key. By exploiting the SSH protocol's 'public key offering' phase, an attacker can pollute the session context with a privileged identity before authenticating with their own low-privileged key.
Official Patches
Fix Analysis (1)
Technical Appendix
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:HAffected Systems
Affected Versions Detail
| Product | Affected Versions | Fixed Version |
|---|---|---|
Soft Serve Charmbracelet | < 0.11.3 | 0.11.3 |
| Attribute | Detail |
|---|---|
| Attack Vector | Network (SSH) |
| CVSS | 10.0 (Critical) |
| CWE | CWE-287 & CWE-840 |
| Prerequisites | Target Public Key (Admin) |
| Exploit Status | Functional PoC Available |
| Root Cause | Session State Pollution |
MITRE ATT&CK Mapping
Improper Authentication and Business Logic Error leading to Identity Confusion.
Known Exploits & Detection
Vulnerability Timeline
Subscribe to updates
Get the latest CVE analysis reports delivered to your inbox.