Description
Titra is open source project time tracking software. Versions 0.99.49 and below have Improper Access Control, allowing users to view and edit other users' time entries in private projects they have not been granted access to. This issue is fixed in version 0.99.50.
Published: 2026-01-07
Score: 6.8 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Unauthorized access to private time entries
Action: Patch
AI Analysis

Impact

The vulnerability is an improper access control flaw that allows authenticated users to view and edit time entries belonging to other users in private projects. This leads to confidentiality leakage and integrity compromise, enabling the attacker to read or modify sensitive work logs.

Affected Systems

The flaw affects the open‑source Titra time‑tracking application from kromitgmbh. All releases up to and including 0.99.49 are vulnerable; the issue is resolved in 0.99.50.

Risk and Exploitability

The CVSS score of 6.8 indicates moderate severity, and the EPSS score of less than 1% suggests a low exploitation probability. The vulnerability is not listed in the CISA KEV catalog. Attackers can exploit the flaw by accessing the exposed API endpoints while authenticated, implying a remote attack vector that requires legitimate credentials but does not involve code execution.

Generated by OpenCVE AI on April 18, 2026 at 16:47 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the Titra installation to version 0.99.50 or later to apply the vendor fix that enforces proper access control on API endpoints.
  • Verify that the API routes checking project visibility and user permissions are active, and reconfigure them if necessary to restrict read and write access to only users with explicit project rights.
  • Conduct a thorough audit of user roles and permissions within Titra, removing any users who possess broader project access than required for their job functions.

Generated by OpenCVE AI on April 18, 2026 at 16:47 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Mon, 12 Jan 2026 18:45:00 +0000

Type Values Removed Values Added
Weaknesses NVD-CWE-noinfo
CPEs cpe:2.3:a:kromit:titra:*:*:*:*:*:*:*:*

Thu, 08 Jan 2026 20:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Thu, 08 Jan 2026 10:00:00 +0000

Type Values Removed Values Added
First Time appeared Kromit
Kromit titra
Vendors & Products Kromit
Kromit titra

Wed, 07 Jan 2026 23:30:00 +0000

Type Values Removed Values Added
Description Titra is open source project time tracking software. Versions 0.99.49 and below have Improper Access Control, allowing users to view and edit other users' time entries in private projects they have not been granted access to. This issue is fixed in version 0.99.50.
Title Titra APIs have Improper Access Control
Weaknesses CWE-284
References
Metrics cvssV3_1

{'score': 6.8, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:N'}

Subscriptions

Kromit Titra
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-01-08T19:23:48.439Z

Reserved: 2026-01-02T18:45:27.397Z

Link: CVE-2026-21694

cve-icon Vulnrichment

Updated: 2026-01-08T19:23:41.277Z

cve-icon NVD

Status : Analyzed

Published: 2026-01-08T00:15:59.680

Modified: 2026-01-12T18:44:36.047

Link: CVE-2026-21694

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-18T17:00:05Z

Weaknesses