CVE-2026-47236 - Vulnerability Details

Description

Solidtime is an open-source time-tracking app. Prior to version 0.12.2, Solidtime defines an explicit invitations:view and members:view permissions that gates the official invitations and members API. The Jetstream web team page authorizes access with only belongsToTeam() and then loads and serializes all pending invitation emails as well as members into Inertia props. Any employee who belongs to the organization can read pending invitation email addresses and members through the serialised inertia data in the team page body even though the same user is forbidden from the API. This issue has been patched in version 0.12.2.

Published: 2026-06-12

Score: 4.3 Medium

EPSS: < 1% Very Low

KEV: No

Impact:

Action:

Analysis

Impact

Solidtime’s Jetstream web team page authorizes access only with a belongsToTeam() check and then serializes all pending invitation emails and member data into Inertia props. Because the page does not require the explicit invitations:view or members:view permissions, any employee who has been added to the organization can view email addresses of pending invitations and current members, even though the same user is forbidden from accessing them via the official API. This flaw exposes sensitive personal information, violating confidentiality, and represents a misuse of internal application functionality (CWE‑863).

Affected Systems

The vulnerability affects the open‑source time‑tracking application Solidtime authored by solidtime‑io. All versions released before 0.12.2 are susceptible; the issue is patched in release 0.12.2 and later.

Risk and Exploitability

The CVSS score of 4.3 indicates moderate severity. The EPSS score of < 1% suggests a low probability of exploitation at present, and the vulnerability is not listed in the CISA KEV catalogue. Likely exploitation requires an internal attacker who is a member of the organization but lacks the specific view permissions; the attacker simply requests the team page from a web browser and receives the serialized data containing email addresses.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

solidtime-io

solidtime

affected

Version	Status	Constraints
`< 0.12.2`	affected	—

No data.

Vendor Product Confidence Versions

Solidtime-io

Solidtime

100%

Version	Status	Scheme	Platform
`[0,0.12.2)`	affected	semver	—

Found an issue or want to improve our Enrichment? You can suggest it directly by opening an issue on our dedicated GitHub repository .

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

Upgrade Solidtime to version 0.12.2 or later, which resolves the authorization issue on the team page.
If upgrading immediately is not possible, modify the team page templates or backend code to remove the serialization of pending invitation emails and member data unless the requesting user has invitations:view or members:view rights.
Conduct a review of all web view handlers in the application to ensure that permission checks guard against exposing any privileged data, addressing the underlying CWE‑863 access control flaw.

Generated by OpenCVE AI on June 12, 2026 at 19:24 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required Low

Scope Unchanged

Confidentiality Impact Low

Integrity Impact None

Availability Impact None

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

The EPSS score is 0.00023.

Key SSVC decision points have not yet been added.

References

Link	Providers
https://github.com/solidtime-io/solidtime/releases/tag/v0.12.2
https://github.com/solidtime-io/solidtime/security/advisories/GHSA-33xq-wf67-c7vh

History

Fri, 12 Jun 2026 19:45:00 +0000

Type	Values Removed	Values Added
First Time appeared		Solidtime-io Solidtime-io solidtime
Vendors & Products		Solidtime-io Solidtime-io solidtime

Fri, 12 Jun 2026 18:45:00 +0000

Type	Values Removed	Values Added
Description		Solidtime is an open-source time-tracking app. Prior to version 0.12.2, Solidtime defines an explicit invitations:view and members:view permissions that gates the official invitations and members API. The Jetstream web team page authorizes access with only belongsToTeam() and then loads and serializes all pending invitation emails as well as members into Inertia props. Any employee who belongs to the organization can read pending invitation email addresses and members through the serialised inertia data in the team page body even though the same user is forbidden from the API. This issue has been patched in version 0.12.2.
Title		Solidtime team page exposes pending invitation and member emails to employees who lack invitations:view/members:view permission
Weaknesses		CWE-863
References		https://github.com/solidtime-io/solidtime/releases/tag/v0.12.2 https://github.com/solidtime-io/solidtime/security/advisories/GHSA-33xq-wf67-c7vh
Metrics		cvssV3_1 `{'score': 4.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N'}`

Subscriptions

Solidtime-io Solidtime

MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published: 2026-06-12T18:11:31.930Z

Updated: 2026-06-12T18:11:31.930Z

Reserved: 2026-05-18T22:54:18.271Z

Link: CVE-2026-47236

Vulnrichment

No data.

NVD

Status : Received

Published: 2026-06-12T19:16:28.523

Modified: 2026-06-12T19:16:28.523

Link: CVE-2026-47236

Redhat

No data.

OpenCVE Enrichment

Updated: 2026-06-12T19:30:31Z

Weaknesses

CWE-863
Incorrect Authorization

Impact

Affected Systems

Risk and Exploitability

Tracking

Attack Vector Network

Attack Complexity Low

Privileges Required Low

Scope Unchanged

Confidentiality Impact Low

Integrity Impact None

Availability Impact None

User Interaction None

Subscriptions

JSON object

JSON object

JSON object

JSON object

JSON object