EUVD-2026-14996
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
Lifecycle Timeline
3Description
solidtime is an open-source time-tracking app. Prior to version 0.11.6, the project detail endpoint GET /api/v1/organizations/{org}/projects/{project} allows any authenticated Employee to access any project in the organization by UUID, including private projects they are not a member of. The index() endpoint correctly applies the visibleByEmployee() scope, but show() does not. This issue has been patched in version 0.11.6.
Analysis
Solidtime prior to version 0.11.6 contains an authorization bypass vulnerability in its project detail endpoint that allows any authenticated employee to access private projects they are not members of by directly querying the GET /api/v1/organizations/{org}/projects/{project} endpoint with a project UUID. The vulnerability stems from inconsistent authorization scope application between the index() and show() methods, enabling confidentiality breach of sensitive project data. …
Sign in for full analysis, threat intelligence, and remediation guidance.
Remediation
Within 30 days: Identify affected systems and apply vendor patches as part of regular patch cycle. Monitor vendor channels for patch availability.
Sign in for detailed remediation steps.
Priority Score
Share
External POC / Exploit Code
Leaving vuln.today