Severity by source
AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
Network-reachable low-complexity IDOR exposing others' data (C:H, I/A:N); assessed PR:L because CWE-639 typically requires a valid session whose identifier is manipulated, though the source vector claims PR:N.
Primary rating from Vendor (TR-CERT).
CVSS VectorVendor: TR-CERT
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
Lifecycle Timeline
1DescriptionCVE.org
Authorization bypass through User-Controlled key vulnerability in Idvlabs Software and Consulting Services Inc. Ontime allows Exploitation of Trusted Identifiers.
This issue affects Ontime: through 04052026.
AnalysisAI
Insecure Direct Object Reference in Idvlabs Ontime (all versions through build 04052026) lets remote attackers read data belonging to other users or tenants by substituting trusted identifiers in requests, without authentication per the published CVSS vector (PR:N). The flaw exposes confidential data only (C:H/I:N/A:N) and was reported by Turkey's TR-CERT under advisory TR-26-0503. …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | Exploitation requires reachable access to Ontime's HTTP interface and the ability to submit a request containing a user-controlled object identifier (record/user/tenant ID) that the backend trusts without verifying ownership - the 'trusted identifier' in the request IS the condition. … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | The CVSS 3.1 base score is 7.5 (High) driven entirely by confidentiality (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N) - network-reachable, low complexity, no privileges, no user interaction, but zero integrity or availability impact, so the realistic worst case is unauthorized data disclosure, not takeover. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | An attacker with network reach to the Ontime web interface issues normal application requests but swaps the object/user identifier (e.g. changing an employee or record ID in a URL or API parameter) to a value belonging to another user or tenant, and the server returns that victim's confidential data without an ownership check. … |
| Remediation | Upgrade Ontime to a fixed build released after 04052026 as directed by the vendor and the TR-CERT advisory (https://siberguvenlik.gov.tr/guvenlik-bildirimleri/detay/tr-26-0503); an exact patched version string was not provided in the source data, so confirm the fixed build number directly with Idvlabs - patch available per vendor advisory, released patched version not independently confirmed. … Detailed patch versions, workarounds, and compensating controls in full report. |
Recommended ActionAI
Within 24 hours: Inventory all Ontime instances and review access logs for unauthorized cross-tenant or cross-user data requests. …
Sign in for detailed remediation steps and compensating controls.
Threat intelligence, references, and detailed analysis are available after sign-in.
Same technique Authentication Bypass
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-42015
GHSA-vh24-w6w7-q6mw