Search
Find a vulnerability
Search criteria
ⓘ
Use this form to refine search results.
Full-text search supports keyword queries with ranking and filtering.
You can combine vendor, product, and sources to narrow results.
Enable “Apply ordering” to sort by date instead of relevance.
6 vulnerabilities by solidtime-io
CVE-2026-47236 (GCVE-0-2026-47236)
Vulnerability from nvd – Published: 2026-06-12 18:11 – Updated: 2026-06-15 13:09
VLAI
Title
Solidtime team page exposes pending invitation and member emails to employees who lack invitations:view/members:view permission
Summary
Solidtime is an open-source time-tracking app. Prior to version 0.12.2, Solidtime defines an explicit invitations:view and members:view permissions that gates the official invitations and members API. The Jetstream web team page authorizes access with only belongsToTeam() and then loads and serializes all pending invitation emails as well as members into Inertia props. Any employee who belongs to the organization can read pending invitation email addresses and members through the serialised inertia data in the team page body even though the same user is forbidden from the API. This issue has been patched in version 0.12.2.
Severity
4.3 (Medium)
SSVC
Exploitation: poc
Automatable: no
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
- CWE-863 - Incorrect Authorization
Assigner
References
2 references
| URL | Tags |
|---|---|
| https://github.com/solidtime-io/solidtime/securit… | x_refsource_CONFIRM |
| https://github.com/solidtime-io/solidtime/release… | x_refsource_MISC |
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| solidtime-io | solidtime |
Affected:
< 0.12.2
|
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-47236",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-06-15T13:09:45.966353Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-06-15T13:09:55.982Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "solidtime",
"vendor": "solidtime-io",
"versions": [
{
"status": "affected",
"version": "\u003c 0.12.2"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Solidtime is an open-source time-tracking app. Prior to version 0.12.2, Solidtime defines an explicit invitations:view and members:view permissions that gates the official invitations and members API. The Jetstream web team page authorizes access with only belongsToTeam() and then loads and serializes all pending invitation emails as well as members into Inertia props. Any employee who belongs to the organization can read pending invitation email addresses and members through the serialised inertia data in the team page body even though the same user is forbidden from the API. This issue has been patched in version 0.12.2."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 4.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-863",
"description": "CWE-863: Incorrect Authorization",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-06-12T18:11:31.930Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/solidtime-io/solidtime/security/advisories/GHSA-33xq-wf67-c7vh",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/solidtime-io/solidtime/security/advisories/GHSA-33xq-wf67-c7vh"
},
{
"name": "https://github.com/solidtime-io/solidtime/releases/tag/v0.12.2",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/solidtime-io/solidtime/releases/tag/v0.12.2"
}
],
"source": {
"advisory": "GHSA-33xq-wf67-c7vh",
"discovery": "UNKNOWN"
},
"title": "Solidtime team page exposes pending invitation and member emails to employees who lack invitations:view/members:view permission"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2026-47236",
"datePublished": "2026-06-12T18:11:31.930Z",
"dateReserved": "2026-05-18T22:54:18.271Z",
"dateUpdated": "2026-06-15T13:09:55.982Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-42279 (GCVE-0-2026-42279)
Vulnerability from nvd – Published: 2026-05-08 03:57 – Updated: 2026-05-08 10:38
VLAI
Title
solidtime: Time entry update endpoint allows cross-organization modification of a known time-entry UUID
Summary
solidtime is an open-source time-tracking app. In version 0.12.0, the PUT /api/v1/organizations/{organization}/time-entries/{timeEntry} API accepts a route-bound timeEntry from another organization when the caller has time-entries:update:all in the URL organization, allowing a known foreign time-entry UUID to be modified and rebound to objects in the caller's organization. This issue has been patched in version 0.12.1.
Severity
5.8 (Medium)
SSVC
Exploitation: none
Automatable: no
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
- CWE-639 - Authorization Bypass Through User-Controlled Key
Assigner
References
3 references
| URL | Tags |
|---|---|
| https://github.com/solidtime-io/solidtime/securit… | x_refsource_CONFIRM |
| https://github.com/solidtime-io/solidtime/commit/… | x_refsource_MISC |
| https://github.com/solidtime-io/solidtime/release… | x_refsource_MISC |
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| solidtime-io | solidtime |
Affected:
= 0.12.0
|
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-42279",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-05-08T10:38:02.981878Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-05-08T10:38:51.086Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"references": [
{
"tags": [
"exploit"
],
"url": "https://github.com/solidtime-io/solidtime/security/advisories/GHSA-pmf9-pxq9-ccwr"
}
],
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "solidtime",
"vendor": "solidtime-io",
"versions": [
{
"status": "affected",
"version": "= 0.12.0"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "solidtime is an open-source time-tracking app. In version 0.12.0, the PUT /api/v1/organizations/{organization}/time-entries/{timeEntry} API accepts a route-bound timeEntry from another organization when the caller has time-entries:update:all in the URL organization, allowing a known foreign time-entry UUID to be modified and rebound to objects in the caller\u0027s organization. This issue has been patched in version 0.12.1."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.8,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "HIGH",
"privilegesRequired": "HIGH",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:C/C:N/I:H/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-639",
"description": "CWE-639: Authorization Bypass Through User-Controlled Key",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-05-08T03:57:31.727Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/solidtime-io/solidtime/security/advisories/GHSA-pmf9-pxq9-ccwr",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/solidtime-io/solidtime/security/advisories/GHSA-pmf9-pxq9-ccwr"
},
{
"name": "https://github.com/solidtime-io/solidtime/commit/b73aa543fdf5b61c37447307ab7277451296832c",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/solidtime-io/solidtime/commit/b73aa543fdf5b61c37447307ab7277451296832c"
},
{
"name": "https://github.com/solidtime-io/solidtime/releases/tag/v0.12.1",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/solidtime-io/solidtime/releases/tag/v0.12.1"
}
],
"source": {
"advisory": "GHSA-pmf9-pxq9-ccwr",
"discovery": "UNKNOWN"
},
"title": "solidtime: Time entry update endpoint allows cross-organization modification of a known time-entry UUID"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2026-42279",
"datePublished": "2026-05-08T03:57:31.727Z",
"dateReserved": "2026-04-26T11:53:27.716Z",
"dateUpdated": "2026-05-08T10:38:51.086Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-33345 (GCVE-0-2026-33345)
Vulnerability from nvd – Published: 2026-03-24 19:30 – Updated: 2026-03-25 13:21
VLAI
Title
solidtime vulnerable to IDOR in private projects
Summary
solidtime is an open-source time-tracking app. Prior to version 0.11.6, the project detail endpoint GET /api/v1/organizations/{org}/projects/{project} allows any authenticated Employee to access any project in the organization by UUID, including private projects they are not a member of. The index() endpoint correctly applies the visibleByEmployee() scope, but show() does not. This issue has been patched in version 0.11.6.
Severity
6.5 (Medium)
SSVC
Exploitation: poc
Automatable: no
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
- CWE-639 - Authorization Bypass Through User-Controlled Key
Assigner
References
3 references
| URL | Tags |
|---|---|
| https://github.com/solidtime-io/solidtime/securit… | x_refsource_CONFIRM |
| https://github.com/solidtime-io/solidtime/commit/… | x_refsource_MISC |
| https://github.com/solidtime-io/solidtime/release… | x_refsource_MISC |
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| solidtime-io | solidtime |
Affected:
< 0.11.6
|
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-33345",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-03-25T13:21:15.653150Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-03-25T13:21:58.960Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "solidtime",
"vendor": "solidtime-io",
"versions": [
{
"status": "affected",
"version": "\u003c 0.11.6"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "solidtime is an open-source time-tracking app. Prior to version 0.11.6, the project detail endpoint GET /api/v1/organizations/{org}/projects/{project} allows any authenticated Employee to access any project in the organization by UUID, including private projects they are not a member of. The index() endpoint correctly applies the visibleByEmployee() scope, but show() does not. This issue has been patched in version 0.11.6."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-639",
"description": "CWE-639: Authorization Bypass Through User-Controlled Key",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-03-24T19:30:27.471Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/solidtime-io/solidtime/security/advisories/GHSA-354j-rx28-jjxm",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/solidtime-io/solidtime/security/advisories/GHSA-354j-rx28-jjxm"
},
{
"name": "https://github.com/solidtime-io/solidtime/commit/192c8c3b887aab34117b983c687934ca7c305209",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/solidtime-io/solidtime/commit/192c8c3b887aab34117b983c687934ca7c305209"
},
{
"name": "https://github.com/solidtime-io/solidtime/releases/tag/v0.11.6",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/solidtime-io/solidtime/releases/tag/v0.11.6"
}
],
"source": {
"advisory": "GHSA-354j-rx28-jjxm",
"discovery": "UNKNOWN"
},
"title": "solidtime vulnerable to IDOR in private projects"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2026-33345",
"datePublished": "2026-03-24T19:30:27.471Z",
"dateReserved": "2026-03-18T22:15:11.813Z",
"dateUpdated": "2026-03-25T13:21:58.960Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-47236 (GCVE-0-2026-47236)
Vulnerability from cvelistv5 – Published: 2026-06-12 18:11 – Updated: 2026-06-15 13:09
VLAI
Title
Solidtime team page exposes pending invitation and member emails to employees who lack invitations:view/members:view permission
Summary
Solidtime is an open-source time-tracking app. Prior to version 0.12.2, Solidtime defines an explicit invitations:view and members:view permissions that gates the official invitations and members API. The Jetstream web team page authorizes access with only belongsToTeam() and then loads and serializes all pending invitation emails as well as members into Inertia props. Any employee who belongs to the organization can read pending invitation email addresses and members through the serialised inertia data in the team page body even though the same user is forbidden from the API. This issue has been patched in version 0.12.2.
Severity
4.3 (Medium)
SSVC
Exploitation: poc
Automatable: no
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
- CWE-863 - Incorrect Authorization
Assigner
References
2 references
| URL | Tags |
|---|---|
| https://github.com/solidtime-io/solidtime/securit… | x_refsource_CONFIRM |
| https://github.com/solidtime-io/solidtime/release… | x_refsource_MISC |
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| solidtime-io | solidtime |
Affected:
< 0.12.2
|
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-47236",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-06-15T13:09:45.966353Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-06-15T13:09:55.982Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "solidtime",
"vendor": "solidtime-io",
"versions": [
{
"status": "affected",
"version": "\u003c 0.12.2"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Solidtime is an open-source time-tracking app. Prior to version 0.12.2, Solidtime defines an explicit invitations:view and members:view permissions that gates the official invitations and members API. The Jetstream web team page authorizes access with only belongsToTeam() and then loads and serializes all pending invitation emails as well as members into Inertia props. Any employee who belongs to the organization can read pending invitation email addresses and members through the serialised inertia data in the team page body even though the same user is forbidden from the API. This issue has been patched in version 0.12.2."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 4.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-863",
"description": "CWE-863: Incorrect Authorization",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-06-12T18:11:31.930Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/solidtime-io/solidtime/security/advisories/GHSA-33xq-wf67-c7vh",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/solidtime-io/solidtime/security/advisories/GHSA-33xq-wf67-c7vh"
},
{
"name": "https://github.com/solidtime-io/solidtime/releases/tag/v0.12.2",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/solidtime-io/solidtime/releases/tag/v0.12.2"
}
],
"source": {
"advisory": "GHSA-33xq-wf67-c7vh",
"discovery": "UNKNOWN"
},
"title": "Solidtime team page exposes pending invitation and member emails to employees who lack invitations:view/members:view permission"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2026-47236",
"datePublished": "2026-06-12T18:11:31.930Z",
"dateReserved": "2026-05-18T22:54:18.271Z",
"dateUpdated": "2026-06-15T13:09:55.982Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-42279 (GCVE-0-2026-42279)
Vulnerability from cvelistv5 – Published: 2026-05-08 03:57 – Updated: 2026-05-08 10:38
VLAI
Title
solidtime: Time entry update endpoint allows cross-organization modification of a known time-entry UUID
Summary
solidtime is an open-source time-tracking app. In version 0.12.0, the PUT /api/v1/organizations/{organization}/time-entries/{timeEntry} API accepts a route-bound timeEntry from another organization when the caller has time-entries:update:all in the URL organization, allowing a known foreign time-entry UUID to be modified and rebound to objects in the caller's organization. This issue has been patched in version 0.12.1.
Severity
5.8 (Medium)
SSVC
Exploitation: none
Automatable: no
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
- CWE-639 - Authorization Bypass Through User-Controlled Key
Assigner
References
3 references
| URL | Tags |
|---|---|
| https://github.com/solidtime-io/solidtime/securit… | x_refsource_CONFIRM |
| https://github.com/solidtime-io/solidtime/commit/… | x_refsource_MISC |
| https://github.com/solidtime-io/solidtime/release… | x_refsource_MISC |
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| solidtime-io | solidtime |
Affected:
= 0.12.0
|
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-42279",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-05-08T10:38:02.981878Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-05-08T10:38:51.086Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"references": [
{
"tags": [
"exploit"
],
"url": "https://github.com/solidtime-io/solidtime/security/advisories/GHSA-pmf9-pxq9-ccwr"
}
],
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "solidtime",
"vendor": "solidtime-io",
"versions": [
{
"status": "affected",
"version": "= 0.12.0"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "solidtime is an open-source time-tracking app. In version 0.12.0, the PUT /api/v1/organizations/{organization}/time-entries/{timeEntry} API accepts a route-bound timeEntry from another organization when the caller has time-entries:update:all in the URL organization, allowing a known foreign time-entry UUID to be modified and rebound to objects in the caller\u0027s organization. This issue has been patched in version 0.12.1."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.8,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "HIGH",
"privilegesRequired": "HIGH",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:C/C:N/I:H/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-639",
"description": "CWE-639: Authorization Bypass Through User-Controlled Key",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-05-08T03:57:31.727Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/solidtime-io/solidtime/security/advisories/GHSA-pmf9-pxq9-ccwr",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/solidtime-io/solidtime/security/advisories/GHSA-pmf9-pxq9-ccwr"
},
{
"name": "https://github.com/solidtime-io/solidtime/commit/b73aa543fdf5b61c37447307ab7277451296832c",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/solidtime-io/solidtime/commit/b73aa543fdf5b61c37447307ab7277451296832c"
},
{
"name": "https://github.com/solidtime-io/solidtime/releases/tag/v0.12.1",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/solidtime-io/solidtime/releases/tag/v0.12.1"
}
],
"source": {
"advisory": "GHSA-pmf9-pxq9-ccwr",
"discovery": "UNKNOWN"
},
"title": "solidtime: Time entry update endpoint allows cross-organization modification of a known time-entry UUID"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2026-42279",
"datePublished": "2026-05-08T03:57:31.727Z",
"dateReserved": "2026-04-26T11:53:27.716Z",
"dateUpdated": "2026-05-08T10:38:51.086Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-33345 (GCVE-0-2026-33345)
Vulnerability from cvelistv5 – Published: 2026-03-24 19:30 – Updated: 2026-03-25 13:21
VLAI
Title
solidtime vulnerable to IDOR in private projects
Summary
solidtime is an open-source time-tracking app. Prior to version 0.11.6, the project detail endpoint GET /api/v1/organizations/{org}/projects/{project} allows any authenticated Employee to access any project in the organization by UUID, including private projects they are not a member of. The index() endpoint correctly applies the visibleByEmployee() scope, but show() does not. This issue has been patched in version 0.11.6.
Severity
6.5 (Medium)
SSVC
Exploitation: poc
Automatable: no
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
- CWE-639 - Authorization Bypass Through User-Controlled Key
Assigner
References
3 references
| URL | Tags |
|---|---|
| https://github.com/solidtime-io/solidtime/securit… | x_refsource_CONFIRM |
| https://github.com/solidtime-io/solidtime/commit/… | x_refsource_MISC |
| https://github.com/solidtime-io/solidtime/release… | x_refsource_MISC |
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| solidtime-io | solidtime |
Affected:
< 0.11.6
|
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-33345",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-03-25T13:21:15.653150Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-03-25T13:21:58.960Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "solidtime",
"vendor": "solidtime-io",
"versions": [
{
"status": "affected",
"version": "\u003c 0.11.6"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "solidtime is an open-source time-tracking app. Prior to version 0.11.6, the project detail endpoint GET /api/v1/organizations/{org}/projects/{project} allows any authenticated Employee to access any project in the organization by UUID, including private projects they are not a member of. The index() endpoint correctly applies the visibleByEmployee() scope, but show() does not. This issue has been patched in version 0.11.6."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-639",
"description": "CWE-639: Authorization Bypass Through User-Controlled Key",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-03-24T19:30:27.471Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/solidtime-io/solidtime/security/advisories/GHSA-354j-rx28-jjxm",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/solidtime-io/solidtime/security/advisories/GHSA-354j-rx28-jjxm"
},
{
"name": "https://github.com/solidtime-io/solidtime/commit/192c8c3b887aab34117b983c687934ca7c305209",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/solidtime-io/solidtime/commit/192c8c3b887aab34117b983c687934ca7c305209"
},
{
"name": "https://github.com/solidtime-io/solidtime/releases/tag/v0.11.6",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/solidtime-io/solidtime/releases/tag/v0.11.6"
}
],
"source": {
"advisory": "GHSA-354j-rx28-jjxm",
"discovery": "UNKNOWN"
},
"title": "solidtime vulnerable to IDOR in private projects"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2026-33345",
"datePublished": "2026-03-24T19:30:27.471Z",
"dateReserved": "2026-03-18T22:15:11.813Z",
"dateUpdated": "2026-03-25T13:21:58.960Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}