CVE-2026-21694
Improper Access Control in Titra Allows Unauthorized Time Entry Edits
Publication date: 2026-01-08
Last updated on: 2026-01-08
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| kromitgmbh | titra | to 0.99.50 (exc) |
| kromitgmbh | titra | 0.99.50 |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-284 | The product does not restrict or incorrectly restricts access to a resource from an unauthorized actor. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability is an Improper Access Control issue in the Titra time tracking software (versions 0.99.49 and below). It allows unauthorized users to view and edit other users' time entries in private projects they do not have access to. Attackers can exploit multiple API endpoints by bypassing project ownership or access checks, enabling them to retrieve or create time entries in private projects of other users. The root cause is the failure to properly verify project access rights before returning or modifying time entries. [1]
How can this vulnerability impact me? :
This vulnerability can lead to unauthorized disclosure and modification of sensitive time tracking data within private projects. An attacker could view confidential time entries of other users and create or alter time entries without permission. This compromises data confidentiality and integrity, potentially leading to misuse of time records, loss of trust, and operational disruptions. Since the attack can be performed remotely over the network with low privileges and no user interaction, it poses a significant risk to affected users. [1]
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability can be detected by attempting to access or modify time entries in private projects for which the user does not have access, using the vulnerable API endpoints. For example, using curl commands with an API token, you can try to send GET requests to endpoints like /project/timeentries/:projectId or /project/timeentriesfordaterange/:projectId/:fromDate/:toDate with project IDs that the user should not have access to. Similarly, POST requests to /timeentry/create/ with unauthorized project IDs can test if unauthorized creation is possible. If these requests succeed in returning or modifying data, the system is vulnerable. [1]
What immediate steps should I take to mitigate this vulnerability?
The immediate mitigation step is to upgrade Titra to version 0.99.50 or later, where the vulnerability is fixed. The fix includes implementing strict project authorization checks in the API endpoints to verify that the requesting user is authorized to access the project (owner, team member, admin, or public project). If upgrading is not immediately possible, you should restrict access to the vulnerable API endpoints and monitor for unauthorized access attempts. Applying the authorization logic similar to the provided example code snippet can also help mitigate the issue. [1, 2]
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
The vulnerability allows unauthorized users to view and modify other users' private time entries, leading to unauthorized access and modification of potentially sensitive personal or business data. This improper access control could result in violations of data protection regulations such as GDPR or HIPAA, which require strict controls over access to personal and sensitive information. Therefore, the vulnerability negatively impacts compliance with these standards by exposing confidential data and compromising data integrity. [1]