Description
solidtime is an open-source time-tracking app. In version 0.12.0, the PUT /api/v1/organizations/{organization}/time-entries/{timeEntry} API accepts a route-bound timeEntry from another organization when the caller has time-entries:update:all in the URL organization, allowing a known foreign time-entry UUID to be modified and rebound to objects in the caller's organization. This issue has been patched in version 0.12.1.
Published: 2026-05-08
Score: 5.8 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability lies in the PUT /api/v1/organizations/{organization}/time-entries/{timeEntry} endpoint, which accepts a timeEntry identifier that origin belongs to another organization when the caller possesses the time-entries:update:all scope for the target organization. This enables an authenticated user to modify a known foreign time‑entry and rebind it to an object in their own organization. The result is the ability to alter billing, reporting, and time‑tracking data with the privileges of another entity, representing a serious integrity risk.

Affected Systems

The affected product is solidtime‑io’s open‑source time‑tracking application. Version 0.12.0 is vulnerable, and the issue is fixed in version 0.12.1. Users running 0.12.0 or earlier are susceptible to this flaw.

Risk and Exploitability

With a CVSS score of 5.8 this vulnerability is considered moderate severity. No EPSS score is available, and it is not listed in CISA’s KEV catalog. The attack vector is authenticated, requiring a user with the time-entries:update:all permission in the target organization. The attacker must know a valid foreign time‑entry UUID, which may be discovered through normal API usage or enumeration. Once these conditions are satisfied, the attacker can alter cross‑organization records without authorization.

Generated by OpenCVE AI on May 8, 2026 at 06:21 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade solidtime to version 0.12.1 or later where the patch has been applied.
  • If an immediate upgrade is not possible, revoke or deny the time-entries:update:all permission for users in affected organizations to prevent unauthorized cross‑organization modifications.
  • Implement API usage monitoring to detect unexpected changes to time‑entry records and alert relevant administrators.

Generated by OpenCVE AI on May 8, 2026 at 06:21 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Fri, 08 May 2026 11:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Fri, 08 May 2026 07:45:00 +0000

Type Values Removed Values Added
First Time appeared Solidtime-io
Solidtime-io solidtime
Vendors & Products Solidtime-io
Solidtime-io solidtime

Fri, 08 May 2026 05:00:00 +0000

Type Values Removed Values Added
Description solidtime is an open-source time-tracking app. In version 0.12.0, the PUT /api/v1/organizations/{organization}/time-entries/{timeEntry} API accepts a route-bound timeEntry from another organization when the caller has time-entries:update:all in the URL organization, allowing a known foreign time-entry UUID to be modified and rebound to objects in the caller's organization. This issue has been patched in version 0.12.1.
Title solidtime: Time entry update endpoint allows cross-organization modification of a known time-entry UUID
Weaknesses CWE-639
References
Metrics cvssV3_1

{'score': 5.8, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:C/C:N/I:H/A:N'}

Subscriptions

Solidtime-io Solidtime
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-05-08T10:38:51.086Z

Reserved: 2026-04-26T11:53:27.716Z

Link: CVE-2026-42279

cve-icon Vulnrichment

Updated: 2026-05-08T10:38:33.282Z

cve-icon NVD

Status : Received

Published: 2026-05-08T05:16:11.063

Modified: 2026-05-08T11:16:28.670

Link: CVE-2026-42279

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-08T07:30:02Z

Weaknesses