Severity by source
AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N
Network-accessible team page requires authenticated membership (PR:L); only email addresses exposed (C:L); no integrity or availability impact applies.
Primary rating from Vendor (GitHub_M).
CVSS VectorVendor: GitHub_M
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N
Lifecycle Timeline
3DescriptionCVE.org
Solidtime is an open-source time-tracking app. Prior to version 0.12.2, Solidtime defines an explicit invitations:view and members:view permissions that gates the official invitations and members API. The Jetstream web team page authorizes access with only belongsToTeam() and then loads and serializes all pending invitation emails as well as members into Inertia props. Any employee who belongs to the organization can read pending invitation email addresses and members through the serialised inertia data in the team page body even though the same user is forbidden from the API. This issue has been patched in version 0.12.2.
AnalysisAI
Unauthorized disclosure of pending invitation emails and member data in Solidtime prior to v0.12.2 allows any authenticated team member to bypass explicit permission controls via the Jetstream web team page. The team page controller gates access only with a coarse belongsToTeam() check and then serializes all invitation and member records into Inertia props embedded in the HTML response body, circumventing the invitations:view and members:view permissions that protect the same data on the API. This is no public exploit identified at time of analysis, with an EPSS of 0.02% reflecting low exploitation probability, though the bypass requires no skill beyond loading the team page as a valid member.
Technical ContextAI
Solidtime is a Laravel-based time-tracking application that uses the Jetstream starter kit for team management and Inertia.js to pass server-side data to Vue/React frontend components. Inertia serializes server-side PHP objects as a JSON blob embedded directly in the initial HTML response - typically inside a data-page attribute - making it available to the browser and any user who can inspect page source or network traffic. The root cause is CWE-863 (Incorrect Authorization): the Jetstream team page controller applies only the belongsToTeam() authorization gate before building its Inertia props, rather than additionally enforcing the dedicated invitations:view and members:view permission checks used by the API routes. This creates a bifurcated authorization model where the API layer is correctly protected but the web rendering path is not. The CPE cpe:2.3:a:solidtime-io:solidtime:*:*:*:*:*:*:*:* confirms all versions prior to v0.12.2 are affected.
RemediationAI
Vendor-released patch: v0.12.2. Upgrade to Solidtime v0.12.2 immediately; the release notes confirm it fixes the serialized Inertia props on the team page to enforce invitations:view and members:view permissions consistently with the API layer. Release artifacts and changelog are available at https://github.com/solidtime-io/solidtime/releases/tag/v0.12.2. If immediate upgrade is not possible, restrict access to the /teams web route at the reverse proxy or WAF layer for all non-administrator roles - note this will break the team management UI for those users as a trade-off. Alternatively, temporarily disable Inertia SSR serialization of invitation and member data at the application level if the codebase permits a local patch, though this requires familiarity with the Inertia controller. No documented workarounds exist that fully preserve functionality while preventing the disclosure.
Solidtime prior to version 0.11.6 contains an authorization bypass vulnerability in its project detail endpoint that all
Cross-organization time-entry modification in solidtime 0.12.0 allows authenticated users with time-entries:update:all p
Same weakness CWE-863 – Incorrect Authorization
View allSame technique Authentication Bypass
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-36530