Vulnerability Details CVE-2026-42279
solidtime is an open-source time-tracking app. In version 0.12.0, the PUT /api/v1/organizations/{organization}/time-entries/{timeEntry} API accepts a route-bound timeEntry from another organization when the caller has time-entries:update:all in the URL organization, allowing a known foreign time-entry UUID to be modified and rebound to objects in the caller's organization. This issue has been patched in version 0.12.1.
Exploit prediction scoring system (EPSS) score
EPSS Score 0.0
EPSS Ranking 11.3%
CVSS Severity
CVSS v3 Score 5.8
References
- https://github.com/solidtime-io/solidtime/commit/b73aa543fdf5b61c37447307ab7277451296832c
- https://github.com/solidtime-io/solidtime/releases/tag/v0.12.1
- https://github.com/solidtime-io/solidtime/security/advisories/GHSA-pmf9-pxq9-ccwr
- https://github.com/solidtime-io/solidtime/security/advisories/GHSA-pmf9-pxq9-ccwr