Severity by source
AV:N/AC:H/PR:H/UI:N/S:C/C:N/I:H/A:N
Primary rating from GitHub Advisory · only source for this CVE.
CVSS VectorGitHub Advisory
CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:C/C:N/I:H/A:N
Lifecycle Timeline
3DescriptionGitHub Advisory
solidtime is an open-source time-tracking app. In version 0.12.0, the PUT /api/v1/organizations/{organization}/time-entries/{timeEntry} API accepts a route-bound timeEntry from another organization when the caller has time-entries:update:all in the URL organization, allowing a known foreign time-entry UUID to be modified and rebound to objects in the caller's organization. This issue has been patched in version 0.12.1.
AnalysisAI
Cross-organization time-entry modification in solidtime 0.12.0 allows authenticated users with time-entries:update:all permission in their own organization to modify and rebind time entries belonging to different organizations by exploiting insufficient route-parameter validation in the PUT /api/v1/organizations/{organization}/time-entries/{timeEntry} endpoint. An attacker can supply a known foreign time-entry UUID and reassign it to projects within their own organization, causing unauthorized data manipulation across organizational boundaries. Vendor-released patch: version 0.12.1.
Technical ContextAI
solidtime is a Laravel-based time-tracking application using route model binding to resolve URL parameters. The vulnerability stems from the API controller's permission checks failing to validate that the route-bound timeEntry object belongs to the same organization specified in the URL path. Route model binding in Laravel automatically resolves the {timeEntry} parameter to a TimeEntry model by UUID without implicit multi-tenant scope enforcement. The checkPermission() calls previously validated only the organization and permission level (time-entries:update:own or time-entries:update:all) but did not verify that the resolved timeEntry entity's organization_id matched the {organization} parameter. CWE-639 (Authorization Bypass Through User-Controlled Key) applies because the attacker controls the timeEntry UUID in the URL and can bypass the intended multi-tenant authorization boundary by selecting a UUID from a different organization. The fix adds the timeEntry object as a third parameter to checkPermission(), enabling organization membership validation at the time-entry level.
RemediationAI
Upgrade solidtime to version 0.12.1 or later immediately. The vendor-released patch modifies the checkPermission() calls in TimeEntryController.php to pass the timeEntry object as a third parameter, enabling organization-level validation. Users unable to upgrade immediately should restrict the time-entries:update:all permission to only trusted administrators and implement network-level access controls (e.g., firewall rules, API rate limiting) on the PUT /api/v1/organizations/*/time-entries/* endpoint. Additionally, audit existing time-entry modifications for evidence of cross-organization tampering by reviewing time-entry update logs and checking for entries that switched project_id assignments while their organization_id remained in a different tenant. Vendor advisory and patch details are available at https://github.com/solidtime-io/solidtime/security/advisories/GHSA-pmf9-pxq9-ccwr and the fix commit at https://github.com/solidtime-io/solidtime/commit/b73aa543fdf5b61c37447307ab7277451296832c.
Solidtime prior to version 0.11.6 contains an authorization bypass vulnerability in its project detail endpoint that all
Unauthorized disclosure of pending invitation emails and member data in Solidtime prior to v0.12.2 allows any authentica
Same technique Authentication Bypass
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-28527