Description
solidtime is an open-source time-tracking app. Prior to version 0.11.6, the project detail endpoint GET /api/v1/organizations/{org}/projects/{project} allows any authenticated Employee to access any project in the organization by UUID, including private projects they are not a member of. The index() endpoint correctly applies the visibleByEmployee() scope, but show() does not. This issue has been patched in version 0.11.6.
Published: 2026-03-24
Score: 6.5 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Unauthorized access to private project data
Action: Immediate patch
AI Analysis

Impact

A flaw in the project detail endpoint allows any authenticated employee to retrieve information about projects they are not a member of, exposing private data. The vulnerability is an Insecure Direct Object Reference (IDOR) that can be used to read details of sensitive projects, potentially revealing confidential work information. The CWE classification for this weakness is 639, which indicates privilege escalation through inadequate access control.

Affected Systems

The affected product is Solidtime by solidtime-io. All releases prior to version 0.11.6 are vulnerable, while version 0.11.6 and later contain a fix that enforces visibility checks for project resources.

Risk and Exploitability

The CVSS score of 6.5 indicates a moderate impact, and the EPSS score of less than 1% suggests a low probability of exploitation in the wild. The vulnerability is not listed in CISA’s Known Exploited Vulnerabilities catalog. Attackers would need to be authenticated users of the system; they can exploit the issue simply by issuing a GET request to the vulnerable endpoint. Because the flaw permits disclosure of privileged project data, it poses a significant confidentiality risk to organizations using Solidtime.

Generated by OpenCVE AI on March 26, 2026 at 15:23 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update Solidtime to version 0.11.6 or later, where the show() endpoint has been patched.
  • Verify that the access controls are functioning correctly on the API, especially that visibleByEmployee() is applied to all relevant endpoints.
  • If an update cannot be applied immediately, restrict access to the project detail endpoint to a narrow set of administrators or block external API traffic until the patch is installed.
  • Monitor application logs for anomalous project access attempts and audit employee permissions regularly to ensure least‑privilege principles are maintained.

Generated by OpenCVE AI on March 26, 2026 at 15:23 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Thu, 26 Mar 2026 13:30:00 +0000

Type Values Removed Values Added
First Time appeared Solidtime
Solidtime solidtime
CPEs cpe:2.3:a:solidtime:solidtime:*:*:*:*:*:*:*:*
Vendors & Products Solidtime
Solidtime solidtime

Wed, 25 Mar 2026 14:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Wed, 25 Mar 2026 12:00:00 +0000

Type Values Removed Values Added
First Time appeared Solidtime-io
Solidtime-io solidtime
Vendors & Products Solidtime-io
Solidtime-io solidtime

Tue, 24 Mar 2026 19:45:00 +0000

Type Values Removed Values Added
Description solidtime is an open-source time-tracking app. Prior to version 0.11.6, the project detail endpoint GET /api/v1/organizations/{org}/projects/{project} allows any authenticated Employee to access any project in the organization by UUID, including private projects they are not a member of. The index() endpoint correctly applies the visibleByEmployee() scope, but show() does not. This issue has been patched in version 0.11.6.
Title solidtime vulnerable to IDOR in private projects
Weaknesses CWE-639
References
Metrics cvssV3_1

{'score': 6.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N'}

Subscriptions

Solidtime Solidtime
Solidtime-io Solidtime
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-03-25T13:21:58.960Z

Reserved: 2026-03-18T22:15:11.813Z

Link: CVE-2026-33345

cve-icon Vulnrichment

Updated: 2026-03-25T13:21:40.910Z

cve-icon NVD

Status : Analyzed

Published: 2026-03-24T20:16:29.073

Modified: 2026-03-26T13:21:21.500

Link: CVE-2026-33345

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-03-27T09:20:35Z

Weaknesses