Skip to main content

Ontime CVE-2026-5799

| EUVDEUVD-2026-42015 HIGH
Authorization Bypass Through User-Controlled Key (CWE-639)
2026-07-07 TR-CERT GHSA-vh24-w6w7-q6mw
7.5
CVSS 3.1 · Vendor: TR-CERT
Share

Severity by source

Vendor (TR-CERT) PRIMARY
7.5 HIGH
AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
vuln.today AI
6.5 MEDIUM

Network-reachable low-complexity IDOR exposing others' data (C:H, I/A:N); assessed PR:L because CWE-639 typically requires a valid session whose identifier is manipulated, though the source vector claims PR:N.

3.1 AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
4.0 AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N

Primary rating from Vendor (TR-CERT).

CVSS VectorVendor: TR-CERT

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
None
Availability
None

Lifecycle Timeline

1
Analysis Generated
Jul 07, 2026 - 08:02 vuln.today

DescriptionCVE.org

Authorization bypass through User-Controlled key vulnerability in Idvlabs Software and Consulting Services Inc. Ontime allows Exploitation of Trusted Identifiers.

This issue affects Ontime: through 04052026.

AnalysisAI

Insecure Direct Object Reference in Idvlabs Ontime (all versions through build 04052026) lets remote attackers read data belonging to other users or tenants by substituting trusted identifiers in requests, without authentication per the published CVSS vector (PR:N). The flaw exposes confidential data only (C:H/I:N/A:N) and was reported by Turkey's TR-CERT under advisory TR-26-0503. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Reach Ontime web/API endpoint
Delivery
Capture request with object identifier
Exploit
Substitute another user's identifier
Execution
Server skips ownership check
Persist
Enumerate IDs to harvest data
Impact
Exfiltrate confidential records

Vulnerability AssessmentAI

Exploitation Exploitation requires reachable access to Ontime's HTTP interface and the ability to submit a request containing a user-controlled object identifier (record/user/tenant ID) that the backend trusts without verifying ownership - the 'trusted identifier' in the request IS the condition. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The CVSS 3.1 base score is 7.5 (High) driven entirely by confidentiality (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N) - network-reachable, low complexity, no privileges, no user interaction, but zero integrity or availability impact, so the realistic worst case is unauthorized data disclosure, not takeover. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An attacker with network reach to the Ontime web interface issues normal application requests but swaps the object/user identifier (e.g. changing an employee or record ID in a URL or API parameter) to a value belonging to another user or tenant, and the server returns that victim's confidential data without an ownership check. …
Remediation Upgrade Ontime to a fixed build released after 04052026 as directed by the vendor and the TR-CERT advisory (https://siberguvenlik.gov.tr/guvenlik-bildirimleri/detay/tr-26-0503); an exact patched version string was not provided in the source data, so confirm the fixed build number directly with Idvlabs - patch available per vendor advisory, released patched version not independently confirmed. … Detailed patch versions, workarounds, and compensating controls in full report.

Recommended ActionAI

Within 24 hours: Inventory all Ontime instances and review access logs for unauthorized cross-tenant or cross-user data requests. …

Sign in for detailed remediation steps and compensating controls.

Threat intelligence, references, and detailed analysis are available after sign-in.

Share

CVE-2026-5799 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy