{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-33345", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2026-03-18T22:15:11.813Z", "datePublished": "2026-03-24T19:30:27.471Z", "dateUpdated": "2026-03-25T13:21:58.960Z"}, "containers": {"cna": {"title": "solidtime vulnerable to IDOR in private projects", "problemTypes": [{"descriptions": [{"cweId": "CWE-639", "lang": "en", "description": "CWE-639: Authorization Bypass Through User-Controlled Key", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 6.5, "baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N", "version": "3.1"}}], "references": [{"name": "https://github.com/solidtime-io/solidtime/security/advisories/GHSA-354j-rx28-jjxm", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/solidtime-io/solidtime/security/advisories/GHSA-354j-rx28-jjxm"}, {"name": "https://github.com/solidtime-io/solidtime/commit/192c8c3b887aab34117b983c687934ca7c305209", "tags": ["x_refsource_MISC"], "url": "https://github.com/solidtime-io/solidtime/commit/192c8c3b887aab34117b983c687934ca7c305209"}, {"name": "https://github.com/solidtime-io/solidtime/releases/tag/v0.11.6", "tags": ["x_refsource_MISC"], "url": "https://github.com/solidtime-io/solidtime/releases/tag/v0.11.6"}], "affected": [{"vendor": "solidtime-io", "product": "solidtime", "versions": [{"version": "< 0.11.6", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-03-24T19:30:27.471Z"}, "descriptions": [{"lang": "en", "value": "solidtime is an open-source time-tracking app. Prior to version 0.11.6, the project detail endpoint GET /api/v1/organizations/{org}/projects/{project} allows any authenticated Employee to access any project in the organization by UUID, including private projects they are not a member of. The index() endpoint correctly applies the visibleByEmployee() scope, but show() does not. This issue has been patched in version 0.11.6."}], "source": {"advisory": "GHSA-354j-rx28-jjxm", "discovery": "UNKNOWN"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-03-25T13:21:15.653150Z", "id": "CVE-2026-33345", "options": [{"Exploitation": "poc"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-25T13:21:58.960Z"}}]}}

{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-33345", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2026-03-18T22:15:11.813Z", "datePublished": "2026-03-24T19:30:27.471Z", "dateUpdated": "2026-03-25T13:21:58.960Z"}, "containers": {"cna": {"title": "solidtime vulnerable to IDOR in private projects", "problemTypes": [{"descriptions": [{"cweId": "CWE-639", "lang": "en", "description": "CWE-639: Authorization Bypass Through User-Controlled Key", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 6.5, "baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N", "version": "3.1"}}], "references": [{"name": "https://github.com/solidtime-io/solidtime/security/advisories/GHSA-354j-rx28-jjxm", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/solidtime-io/solidtime/security/advisories/GHSA-354j-rx28-jjxm"}, {"name": "https://github.com/solidtime-io/solidtime/commit/192c8c3b887aab34117b983c687934ca7c305209", "tags": ["x_refsource_MISC"], "url": "https://github.com/solidtime-io/solidtime/commit/192c8c3b887aab34117b983c687934ca7c305209"}, {"name": "https://github.com/solidtime-io/solidtime/releases/tag/v0.11.6", "tags": ["x_refsource_MISC"], "url": "https://github.com/solidtime-io/solidtime/releases/tag/v0.11.6"}], "affected": [{"vendor": "solidtime-io", "product": "solidtime", "versions": [{"version": "< 0.11.6", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-03-24T19:30:27.471Z"}, "descriptions": [{"lang": "en", "value": "solidtime is an open-source time-tracking app. Prior to version 0.11.6, the project detail endpoint GET /api/v1/organizations/{org}/projects/{project} allows any authenticated Employee to access any project in the organization by UUID, including private projects they are not a member of. The index() endpoint correctly applies the visibleByEmployee() scope, but show() does not. This issue has been patched in version 0.11.6."}], "source": {"advisory": "GHSA-354j-rx28-jjxm", "discovery": "UNKNOWN"}}, "adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-33345", "role": "CISA Coordinator", "options": [{"Exploitation": "poc"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-03-25T13:21:15.653150Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-25T13:21:40.910Z"}}]}}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:solidtime:solidtime:*:*:*:*:*:*:*:*", "matchCriteriaId": "5F39EBFF-0C6A-407E-9FAC-7B184603B064", "versionEndExcluding": "0.11.6", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "solidtime is an open-source time-tracking app. Prior to version 0.11.6, the project detail endpoint GET /api/v1/organizations/{org}/projects/{project} allows any authenticated Employee to access any project in the organization by UUID, including private projects they are not a member of. The index() endpoint correctly applies the visibleByEmployee() scope, but show() does not. This issue has been patched in version 0.11.6."}], "id": "CVE-2026-33345", "lastModified": "2026-03-26T13:21:21.500", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 6.5, "baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 3.6, "source": "security-advisories@github.com", "type": "Secondary"}]}, "published": "2026-03-24T20:16:29.073", "references": [{"source": "security-advisories@github.com", "tags": ["Patch"], "url": "https://github.com/solidtime-io/solidtime/commit/192c8c3b887aab34117b983c687934ca7c305209"}, {"source": "security-advisories@github.com", "tags": ["Product", "Release Notes"], "url": "https://github.com/solidtime-io/solidtime/releases/tag/v0.11.6"}, {"source": "security-advisories@github.com", "tags": ["Exploit", "Mitigation", "Vendor Advisory"], "url": "https://github.com/solidtime-io/solidtime/security/advisories/GHSA-354j-rx28-jjxm"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-639"}], "source": "security-advisories@github.com", "type": "Primary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[0,0.11.6)"}}], "enrichment": {"confidence": 100.0, "confidence_source": "cna", "scores": [{"score": 100.0, "source": "cna"}]}, "original": {"product": "solidtime", "source": "cna", "vendor": "solidtime-io"}, "product": "solidtime", "vendor": "solidtime-io"}], "analysis": {"en": {"generated_at": "2026-03-24T20:50:15.000670+00:00", "value": {"mitigation_remediation": ["Upgrade the solidtime application to version 0.11.6 or later to apply the vendor patch", "Verify that the /api/v1/organizations/{org}/projects/{project} endpoint enforces proper authorization checks in your current deployment", "Limit employee accounts to the minimum necessary permissions for project access and audit role assignments to reduce exposure"], "summary": {"action": "Patch Update", "impact": "Unauthorized access to private project data"}, "threat_synthesis": {"affected_systems": "The vulnerability affects all releases of solidtime-io:solidtime that precede version 0.11.6. The most recent patched release is 0.11.6, which implements proper authorization checks on the project detail route. No specific patch versions beyond this are listed in the vulnerability report.", "description_and_impact": "The identified flaw occurs in the project detail endpoint of the solidtime-io:solidtime time\u2011tracking application. Any authenticated employee can query a project by its UUID and retrieve full project details even if that project is marked private and the employee is not a member. This is an IDOR (Insecure Direct Object Reference) vulnerability that allows disclosure of confidential project information, thereby compromising confidentiality and potentially exposing sensitive business data.", "risk_and_exploitability": "The CVSS score of 6.5 indicates moderate severity. Exploitation requires only authenticated access; an attacker can trigger the flaw via the web interface or API without additional privileges. No EPSS data is available, and the vulnerability is not present in the CISA KEV catalog, suggesting no confirmed widespread exploitation yet. Nevertheless, the ease of exploitation within an internal network and the risk of data leakage make it a significant concern for organizations running affected versions."}}}}, "created": "2026-03-25T11:46:15.000395+00:00", "updated": "2026-03-25T20:57:39.705231+00:00", "vendors": ["solidtime-io", "solidtime-io$PRODUCT$solidtime"]}