Skip to main content

Solidtime CVE-2026-47236

| EUVDEUVD-2026-36530 MEDIUM
Incorrect Authorization (CWE-863)
2026-06-12 GitHub_M
4.3
CVSS 3.1 · Vendor: GitHub_M
Share

Severity by source

Vendor (GitHub_M) PRIMARY
4.3 MEDIUM
AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N
vuln.today AI
4.3 MEDIUM

Network-accessible team page requires authenticated membership (PR:L); only email addresses exposed (C:L); no integrity or availability impact applies.

3.1 AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N
4.0 AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N

Primary rating from Vendor (GitHub_M).

CVSS VectorVendor: GitHub_M

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
Low
Integrity
None
Availability
None

Lifecycle Timeline

3
Patch available
Jun 12, 2026 - 20:01 EUVD
Source Code Evidence Fetched
Jun 12, 2026 - 19:30 vuln.today
Analysis Generated
Jun 12, 2026 - 19:30 vuln.today

DescriptionCVE.org

Solidtime is an open-source time-tracking app. Prior to version 0.12.2, Solidtime defines an explicit invitations:view and members:view permissions that gates the official invitations and members API. The Jetstream web team page authorizes access with only belongsToTeam() and then loads and serializes all pending invitation emails as well as members into Inertia props. Any employee who belongs to the organization can read pending invitation email addresses and members through the serialised inertia data in the team page body even though the same user is forbidden from the API. This issue has been patched in version 0.12.2.

AnalysisAI

Unauthorized disclosure of pending invitation emails and member data in Solidtime prior to v0.12.2 allows any authenticated team member to bypass explicit permission controls via the Jetstream web team page. The team page controller gates access only with a coarse belongsToTeam() check and then serializes all invitation and member records into Inertia props embedded in the HTML response body, circumventing the invitations:view and members:view permissions that protect the same data on the API. This is no public exploit identified at time of analysis, with an EPSS of 0.02% reflecting low exploitation probability, though the bypass requires no skill beyond loading the team page as a valid member.

Technical ContextAI

Solidtime is a Laravel-based time-tracking application that uses the Jetstream starter kit for team management and Inertia.js to pass server-side data to Vue/React frontend components. Inertia serializes server-side PHP objects as a JSON blob embedded directly in the initial HTML response - typically inside a data-page attribute - making it available to the browser and any user who can inspect page source or network traffic. The root cause is CWE-863 (Incorrect Authorization): the Jetstream team page controller applies only the belongsToTeam() authorization gate before building its Inertia props, rather than additionally enforcing the dedicated invitations:view and members:view permission checks used by the API routes. This creates a bifurcated authorization model where the API layer is correctly protected but the web rendering path is not. The CPE cpe:2.3:a:solidtime-io:solidtime:*:*:*:*:*:*:*:* confirms all versions prior to v0.12.2 are affected.

RemediationAI

Vendor-released patch: v0.12.2. Upgrade to Solidtime v0.12.2 immediately; the release notes confirm it fixes the serialized Inertia props on the team page to enforce invitations:view and members:view permissions consistently with the API layer. Release artifacts and changelog are available at https://github.com/solidtime-io/solidtime/releases/tag/v0.12.2. If immediate upgrade is not possible, restrict access to the /teams web route at the reverse proxy or WAF layer for all non-administrator roles - note this will break the team management UI for those users as a trade-off. Alternatively, temporarily disable Inertia SSR serialization of invitation and member data at the application level if the codebase permits a local patch, though this requires familiarity with the Inertia controller. No documented workarounds exist that fully preserve functionality while preventing the disclosure.

Share

CVE-2026-47236 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy