Description
Titra is open source project time tracking software. In versions 0.99.49 and below, an API has a Mass Assignment vulnerability which allows authenticated users to inject arbitrary fields into time entries, bypassing business logic controls via the customfields parameter. The affected endpoint uses the JavaScript spread operator (...customfields) to merge user-controlled input directly into the database document. While customfields is validated as an Object type, there is no validation of which keys are permitted inside that object. This allows attackers to overwrite protected fields such as userId, hours, and state. The issue is fixed in version 0.99.50.
Published: 2026-01-07
Score: 4.3 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Privilege Escalation via Arbitrary Field Injection
Action: Immediate Patch
AI Analysis

Impact

Titra versions 0.99.49 and earlier have a mass‑assignment flaw that allows an authenticated API user to insert arbitrary fields into time‑entry documents via the customfields parameter. The JavaScript spread operator directly merges the user‑supplied object into the database record without validating which keys are permitted. Attackers can therefore modify protected attributes such as userId, hours, and state, effectively hijacking time entries and potentially gaining unauthorized control over user accounts. This weakness corresponds to CWE‑915, “Arbitrary Update to Data Object.”

Affected Systems

The issue affects Titra, an open‑source time‑tracking application developed by kromitgmbh, in all releases up to and including 0.99.49. The vulnerability is fixed in version 0.99.50 and later.

Risk and Exploitability

The CVSS score is 4.3, indicating a moderate severity vulnerability. The EPSS score is less than 1 %, suggesting a low likelihood of exploitation in the wild, and the flaw is not listed in the CISA KEV catalog. Exploitation requires a valid authenticated session with access to the affected API endpoint; an attacker would need to build a payload that injects disallowed fields into the customfields object. Once executed, the attacker could modify secured fields to affect account ownership, billing, or project time logs.

Generated by OpenCVE AI on April 18, 2026 at 07:51 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Ensure the Titra installation is upgraded to version 0.99.50 or later; obtain the latest release from the official repository or project site.
  • Verify that the upgraded instance no longer accepts arbitrary customfields by attempting to modify a protected field such as userId or hours and confirming the operation fails.
  • Apply any additional access controls recommended by the vendor—for example, restrict API permissions to only those roles that legitimately require time‑entry updates—to reduce the attack surface until the patch is fully deployed.

Generated by OpenCVE AI on April 18, 2026 at 07:51 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Mon, 12 Jan 2026 18:45:00 +0000

Type Values Removed Values Added
CPEs cpe:2.3:a:kromit:titra:*:*:*:*:*:*:*:*

Thu, 08 Jan 2026 19:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Thu, 08 Jan 2026 10:00:00 +0000

Type Values Removed Values Added
First Time appeared Kromit
Kromit titra
Vendors & Products Kromit
Kromit titra

Wed, 07 Jan 2026 23:45:00 +0000

Type Values Removed Values Added
Description Titra is open source project time tracking software. In versions 0.99.49 and below, an API has a Mass Assignment vulnerability which allows authenticated users to inject arbitrary fields into time entries, bypassing business logic controls via the customfields parameter. The affected endpoint uses the JavaScript spread operator (...customfields) to merge user-controlled input directly into the database document. While customfields is validated as an Object type, there is no validation of which keys are permitted inside that object. This allows attackers to overwrite protected fields such as userId, hours, and state. The issue is fixed in version 0.99.50.
Title Titra API Contains Mass Assignment Vulnerability
Weaknesses CWE-915
References
Metrics cvssV3_1

{'score': 4.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N'}

Subscriptions

Kromit Titra
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-01-08T18:16:33.468Z

Reserved: 2026-01-02T18:45:27.397Z

Link: CVE-2026-21695

cve-icon Vulnrichment

Updated: 2026-01-08T15:06:17.677Z

cve-icon NVD

Status : Analyzed

Published: 2026-01-08T00:15:59.833

Modified: 2026-01-12T18:40:56.820

Link: CVE-2026-21695

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-18T08:00:05Z

Weaknesses