Skip to main content

titra CVE-2026-42092

| EUVD-2026-27069 MEDIUM
Information Exposure (CWE-200)
2026-05-04 GitHub_M
Information Disclosure Titra
6.5
CVSS 3.1 · GitHub Advisory
Share

Severity by source

GitHub Advisory PRIMARY
6.5 MEDIUM
AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N

Primary rating from GitHub Advisory · only source for this CVE.

CVSS VectorGitHub Advisory

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
None
Availability
None

Lifecycle Timeline

3
Analysis Generated
May 04, 2026 - 18:03 vuln.today
Analysis Generated
May 04, 2026 - 17:45 vuln.today
CVE Published
May 04, 2026 - 17:30 nvd
MEDIUM 6.5

DescriptionGitHub Advisory

titra is an open source time tracking project. In version 0.99.52, the globalsettings Meteor publication returns all global settings without any admin or role check. Any authenticated user can subscribe via DDP and receive sensitive configuration fields such as google_secret, openai_apikey, and google_clientid. At time of publication no public patch is available.

AnalysisAI

titra 0.99.52 leaks sensitive global configuration settings to any authenticated user via an unprotected Meteor DDP publication, exposing API keys and OAuth secrets without administrative checks. Authenticated attackers can subscribe to the globalsettings publication and retrieve plaintext credentials including google_secret, openai_apikey, and google_clientid. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts
Continue with Google Continue with GitHub

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Create titra user account
Delivery
Authenticate to DDP endpoint
Exploit
Subscribe to globalsettings publication
Execution
Receive plaintext API credentials
Impact
Access external services as application
Sign in to reveal

Vulnerability AssessmentAI

Exploitation Exploitation requires: (1) valid authentication to titra (user account created or registered); (2) network access to the DDP endpoint (typically the same origin as the web application); (3) the globalsettings MongoDB collection must exist and contain the sensitive fields (google_secret, openai_apikey, google_clientid). … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment CVSS 6.5 (AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N) reflects confidentiality breach with high impact but limited scope and low attack complexity. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An attacker with valid titra user credentials (obtained through public registration or social engineering) connects to the titra DDP endpoint over HTTPS and subscribes to the globalsettings publication using a Meteor client library. The unguarded publication immediately transmits sensitive fields including plaintext API keys. …
Remediation No vendor-released patch is available at time of publication. … Detailed patch versions, workarounds, and compensating controls in full report.
Sign in to read full assessment

Threat intelligence, references, and detailed analysis are available after sign-in.

Share

CVE-2026-42092 vulnerability details – vuln.today
Back

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy