CVE-2026-42279

Published: May 8, 2026Modified: May 8, 2026

5.8

Vector

CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:C/C:N/I:H/A:N

Exploitability: 1.3 / Impact: 4.0

Source: security-advisories@github.com (Secondary)

Description

solidtime is an open-source time-tracking app. In version 0.12.0, the PUT /api/v1/organizations/{organization}/time-entries/{timeEntry} API accepts a route-bound timeEntry from another organization when the caller has time-entries:update:all in the URL organization, allowing a known foreign time-entry UUID to be modified and rebound to objects in the caller's organization. This issue has been patched in version 0.12.1.

Affected (1)

Products: Solidtime: Solidtime

1 product

Configuration A

1 vulnerable

Vulnerable Software	Affected Versions
Solidtime Solidtime	Version 0.12.0

Related CWEs

Authorization Bypass Through User-Controlled Key

The system's authorization functionality does not prevent one user from gaining access to another user's data or record by modifying the key value identifying the data.

References (4)

https://github.com/solidtime-io/solidtime/commit/b73aa543fdf5b61c37447307ab7277451296832c

Source: security-advisories@github.com

Patch

https://github.com/solidtime-io/solidtime/releases/tag/v0.12.1

Source: security-advisories@github.com

ProductRelease Notes

https://github.com/solidtime-io/solidtime/security/advisories/GHSA-pmf9-pxq9-ccwr

Source: security-advisories@github.com

ExploitVendor Advisory

https://github.com/solidtime-io/solidtime/security/advisories/GHSA-pmf9-pxq9-ccwr

Source: 134c704f-9b21-4f2e-91b3-4a467353bcc0

ExploitVendor Advisory

Timeline

No history available yet.