Skip to main content

Solidtime

3 CVEs product

Monthly

CVE-2026-47236 MEDIUM PATCH This Month

Unauthorized disclosure of pending invitation emails and member data in Solidtime prior to v0.12.2 allows any authenticated team member to bypass explicit permission controls via the Jetstream web team page. The team page controller gates access only with a coarse `belongsToTeam()` check and then serializes all invitation and member records into Inertia props embedded in the HTML response body, circumventing the `invitations:view` and `members:view` permissions that protect the same data on the API. This is no public exploit identified at time of analysis, with an EPSS of 0.02% reflecting low exploitation probability, though the bypass requires no skill beyond loading the team page as a valid member.

Authentication Bypass Solidtime
NVD GitHub
CVSS 3.1
4.3
EPSS
0.0%
CVE-2026-42279 MEDIUM This Month

Cross-organization time-entry modification in solidtime 0.12.0 allows authenticated users with time-entries:update:all permission in their own organization to modify and rebind time entries belonging to different organizations by exploiting insufficient route-parameter validation in the PUT /api/v1/organizations/{organization}/time-entries/{timeEntry} endpoint. An attacker can supply a known foreign time-entry UUID and reassign it to projects within their own organization, causing unauthorized data manipulation across organizational boundaries. Vendor-released patch: version 0.12.1.

Authentication Bypass Solidtime
NVD GitHub
CVSS 3.1
5.8
EPSS
0.0%
CVE-2026-33345 MEDIUM PATCH This Month

Solidtime prior to version 0.11.6 contains an authorization bypass vulnerability in its project detail endpoint that allows any authenticated employee to access private projects they are not members of by directly querying the GET /api/v1/organizations/{org}/projects/{project} endpoint with a project UUID. The vulnerability stems from inconsistent authorization scope application between the index() and show() methods, enabling confidentiality breach of sensitive project data. A security patch is available in version 0.11.6 and the vulnerability has been disclosed via GitHub Security Advisory GHSA-354j-rx28-jjxm.

Authentication Bypass Solidtime
NVD GitHub VulDB
CVSS 3.1
6.5
EPSS
0.0%
EPSS 0% CVSS 4.3
MEDIUM PATCH This Month

Unauthorized disclosure of pending invitation emails and member data in Solidtime prior to v0.12.2 allows any authenticated team member to bypass explicit permission controls via the Jetstream web team page. The team page controller gates access only with a coarse `belongsToTeam()` check and then serializes all invitation and member records into Inertia props embedded in the HTML response body, circumventing the `invitations:view` and `members:view` permissions that protect the same data on the API. This is no public exploit identified at time of analysis, with an EPSS of 0.02% reflecting low exploitation probability, though the bypass requires no skill beyond loading the team page as a valid member.

Authentication Bypass Solidtime
NVD GitHub
EPSS 0% CVSS 5.8
MEDIUM This Month

Cross-organization time-entry modification in solidtime 0.12.0 allows authenticated users with time-entries:update:all permission in their own organization to modify and rebind time entries belonging to different organizations by exploiting insufficient route-parameter validation in the PUT /api/v1/organizations/{organization}/time-entries/{timeEntry} endpoint. An attacker can supply a known foreign time-entry UUID and reassign it to projects within their own organization, causing unauthorized data manipulation across organizational boundaries. Vendor-released patch: version 0.12.1.

Authentication Bypass Solidtime
NVD GitHub
EPSS 0% CVSS 6.5
MEDIUM PATCH This Month

Solidtime prior to version 0.11.6 contains an authorization bypass vulnerability in its project detail endpoint that allows any authenticated employee to access private projects they are not members of by directly querying the GET /api/v1/organizations/{org}/projects/{project} endpoint with a project UUID. The vulnerability stems from inconsistent authorization scope application between the index() and show() methods, enabling confidentiality breach of sensitive project data. A security patch is available in version 0.11.6 and the vulnerability has been disclosed via GitHub Security Advisory GHSA-354j-rx28-jjxm.

Authentication Bypass Solidtime
NVD GitHub VulDB

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy