Skip to main content

solidtime CVE-2026-42279

| EUVDEUVD-2026-28527 MEDIUM
Authorization Bypass Through User-Controlled Key (CWE-639)
2026-05-08 GitHub_M
5.8
CVSS 3.1 · GitHub Advisory
Share

Severity by source

GitHub Advisory PRIMARY
5.8 MEDIUM
AV:N/AC:H/PR:H/UI:N/S:C/C:N/I:H/A:N

Primary rating from GitHub Advisory · only source for this CVE.

CVSS VectorGitHub Advisory

CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:C/C:N/I:H/A:N
Attack Vector
Network
Attack Complexity
High
Privileges Required
High
User Interaction
None
Scope
Changed
Confidentiality
None
Integrity
High
Availability
None

Lifecycle Timeline

3
Source Code Evidence Fetched
May 08, 2026 - 05:31 vuln.today
Analysis Generated
May 08, 2026 - 05:31 vuln.today
CVE Published
May 08, 2026 - 03:57 nvd
MEDIUM 5.8

DescriptionGitHub Advisory

solidtime is an open-source time-tracking app. In version 0.12.0, the PUT /api/v1/organizations/{organization}/time-entries/{timeEntry} API accepts a route-bound timeEntry from another organization when the caller has time-entries:update:all in the URL organization, allowing a known foreign time-entry UUID to be modified and rebound to objects in the caller's organization. This issue has been patched in version 0.12.1.

AnalysisAI

Cross-organization time-entry modification in solidtime 0.12.0 allows authenticated users with time-entries:update:all permission in their own organization to modify and rebind time entries belonging to different organizations by exploiting insufficient route-parameter validation in the PUT /api/v1/organizations/{organization}/time-entries/{timeEntry} endpoint. An attacker can supply a known foreign time-entry UUID and reassign it to projects within their own organization, causing unauthorized data manipulation across organizational boundaries. Vendor-released patch: version 0.12.1.

Technical ContextAI

solidtime is a Laravel-based time-tracking application using route model binding to resolve URL parameters. The vulnerability stems from the API controller's permission checks failing to validate that the route-bound timeEntry object belongs to the same organization specified in the URL path. Route model binding in Laravel automatically resolves the {timeEntry} parameter to a TimeEntry model by UUID without implicit multi-tenant scope enforcement. The checkPermission() calls previously validated only the organization and permission level (time-entries:update:own or time-entries:update:all) but did not verify that the resolved timeEntry entity's organization_id matched the {organization} parameter. CWE-639 (Authorization Bypass Through User-Controlled Key) applies because the attacker controls the timeEntry UUID in the URL and can bypass the intended multi-tenant authorization boundary by selecting a UUID from a different organization. The fix adds the timeEntry object as a third parameter to checkPermission(), enabling organization membership validation at the time-entry level.

RemediationAI

Upgrade solidtime to version 0.12.1 or later immediately. The vendor-released patch modifies the checkPermission() calls in TimeEntryController.php to pass the timeEntry object as a third parameter, enabling organization-level validation. Users unable to upgrade immediately should restrict the time-entries:update:all permission to only trusted administrators and implement network-level access controls (e.g., firewall rules, API rate limiting) on the PUT /api/v1/organizations/*/time-entries/* endpoint. Additionally, audit existing time-entry modifications for evidence of cross-organization tampering by reviewing time-entry update logs and checking for entries that switched project_id assignments while their organization_id remained in a different tenant. Vendor advisory and patch details are available at https://github.com/solidtime-io/solidtime/security/advisories/GHSA-pmf9-pxq9-ccwr and the fix commit at https://github.com/solidtime-io/solidtime/commit/b73aa543fdf5b61c37447307ab7277451296832c.

Share

CVE-2026-42279 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy