Description
titra is an open source time tracking project. In version 0.99.52, the globalsettings Meteor publication returns all global settings without any admin or role check. Any authenticated user can subscribe via DDP and receive sensitive configuration fields such as google_secret, openai_apikey, and google_clientid. At time of publication no public patch is available.
Published: 2026-05-04
Score: 6.5 Medium
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

In Titra version 0.99.52 the globalsettings Meteor publication returns all configuration data without performing any admin or role verification. Any authenticated user can subscribe via DDP and receive sensitive configuration fields such as google_secret, openai_apikey, and google_clientid. This flaw allows an attacker with regular user credentials to obtain confidential credentials and other configuration information, creating a potential confidentiality breach.

Affected Systems

The affected product is the open‑source Titra time‑tracking application, specifically release 0.99.52.

Risk and Exploitability

The CVSS score of 6.5 indicates a medium severity vulnerability. The EPSS score is not available, so the likelihood of exploitation is uncertain, yet the impact is significant because any authenticated user can download the data. The vulnerability is not currently listed in the CISA KEV catalog, but the lack of an access check means that once an attacker obtains an account, the exploitation path is trivial and does not require additional prerequisites.

Generated by OpenCVE AI on May 4, 2026 at 18:52 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Reset all exposed credentials (google_secret, openai_apikey, google_clientid) and regenerate them immediately.
  • Modify the globalsettings publication code to enforce an admin or role check before returning any sensitive data.
  • Restrict DDP subscription to the globalsettings publication so that only privileged users can access it.

Generated by OpenCVE AI on May 4, 2026 at 18:52 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Mon, 04 May 2026 20:15:00 +0000

Type Values Removed Values Added
First Time appeared Titraio
Titraio titra
Vendors & Products Titraio
Titraio titra

Mon, 04 May 2026 17:45:00 +0000

Type Values Removed Values Added
Description titra is an open source time tracking project. In version 0.99.52, the globalsettings Meteor publication returns all global settings without any admin or role check. Any authenticated user can subscribe via DDP and receive sensitive configuration fields such as google_secret, openai_apikey, and google_clientid. At time of publication no public patch is available.
Title Global Settings Publication Exposes Sensitive Configuration to Any Authenticated User in Titra
Weaknesses CWE-200
References
Metrics cvssV3_1

{'score': 6.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N'}

Subscriptions

Titraio Titra
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-05-04T17:30:46.421Z

Reserved: 2026-04-23T19:17:30.566Z

Link: CVE-2026-42092

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Received

Published: 2026-05-04T18:16:31.363

Modified: 2026-05-04T18:16:31.363

Link: CVE-2026-42092

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-04T19:43:51Z

Weaknesses