CVE-2026-30832 — AI Deep Analysis Summary

🚨 **Essence**: Soft Serve allows authenticated users to force the server to make HTTP requests to internal IPs via a crafted `--lfs-endpoint` URL.…

🛡️ **Root Cause**: **CWE-918** (Server-Side Request Forgery). The flaw lies in how the application handles user-supplied LFS endpoint URLs without proper validation or restriction.

📦 **Affected**: **Charmbracelet Soft Serve**. Versions **0.6.0 through 0.11.3**. ✅ **Safe**: Version **0.11.4** and later are patched.

💀 **Attacker Capabilities**: With **Authentication**, hackers can bypass network boundaries. They can access **Internal Services** and potentially read sensitive internal data or network configurations.

🔐 **Threshold**: **Medium**. Requires **Authenticated SSH Access**. It is not an unauthenticated remote exploit, limiting the attack surface to compromised or valid user accounts.

📜 **Exploit Status**: No public PoC/Wild Exploit listed in data. However, the vulnerability is well-documented via GitHub Advisory (**GHSA-3fvx-xrxq-8jvv**).

🔍 **Self-Check**: Scan for **Soft Serve** instances running versions **< 0.11.4**. Check if SSH authentication is enabled and if LFS endpoints are configurable by users.

✅ **Fixed**: Yes. Official patch released in **v0.11.4**. See commit `3ef6600` for details. Update immediately to the latest version.

🛑 **No Patch Workaround**: Restrict SSH access strictly. Disable LFS endpoint customization for users if possible. Implement network segmentation to protect internal services from the Soft Serve host.

⚡ **Urgency**: **High Priority** for affected versions. Although auth is required, SSRF risks are severe. Patch to **v0.11.4+** immediately to prevent internal network reconnaissance.