CVE-2026-21695
Unknown Unknown - Not Provided
Mass Assignment Vulnerability in Titra API Allows Data Manipulation

Publication date: 2026-01-08

Last updated on: 2026-01-08

Assigner: GitHub, Inc.

Description
Titra is open source project time tracking software. In versions 0.99.49 and below, an API has a Mass Assignment vulnerability which allows authenticated users to inject arbitrary fields into time entries, bypassing business logic controls via the customfields parameter. The affected endpoint uses the JavaScript spread operator (...customfields) to merge user-controlled input directly into the database document. While customfields is validated as an Object type, there is no validation of which keys are permitted inside that object. This allows attackers to overwrite protected fields such as userId, hours, and state. The issue is fixed in version 0.99.50.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-01-08
Last Modified
2026-01-08
Generated
2026-06-16
AI Q&A
2026-01-08
EPSS Evaluated
2026-06-15
NVD
CVE-2026-21695
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
kromitgmbh titra to 0.99.50 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-915 The product receives input from an upstream component that specifies multiple attributes, properties, or fields that are to be initialized or updated in an object, but it does not properly control which attributes can be modified.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

This vulnerability is a Mass Assignment flaw in the Titra time tracking software (versions 0.99.49 and below). Authenticated users can inject arbitrary fields into time entries via the 'customfields' parameter in the API. The API merges user input directly into the database document using the JavaScript spread operator without validating which keys are allowed. This allows attackers to overwrite protected fields such as userId, hours, and state, bypassing business logic controls. [1]

Impact Analysis

The vulnerability allows an authenticated user to modify protected fields in time entries, such as userId, hours, and state, which can lead to unauthorized changes in data integrity. This could result in inaccurate time tracking records, potential fraud, or manipulation of billing and project data. However, it does not impact confidentiality or availability. [1]

Detection Guidance

This vulnerability can be detected by attempting to exploit the Mass Assignment flaw using an authenticated API request that injects arbitrary fields into time entries via the customfields parameter. For example, you can use a curl command to send a POST request to the /timeentry/create/ endpoint with malicious customfields that overwrite protected fields such as 'state' and 'hours'. Example command: ```bash curl -X POST "http://<target-ip>:3000/timeentry/create/" -H "Authorization: Bearer <USER_API_TOKEN>" -H "Content-Type: application/json" -d '{ "projectId": "<TARGET_PROJECT_ID>", "task": "Mass Assignment Test", "date": "2025-12-27", "hours": 1, "customfields": { "state": "billed", "hours": 9999 } }' ``` If the request succeeds in modifying protected fields, the system is vulnerable. [1]

Mitigation Strategies

Immediate mitigation steps include upgrading Titra to version 0.99.50 or later where the vulnerability is fixed. If upgrading is not immediately possible, apply input sanitization by implementing an allowlist of permitted keys for the customfields parameter to prevent unauthorized overwriting of protected fields. Alternatively, modify the code to spread the customfields object before the protected fields to ensure protected fields cannot be overwritten. These code changes sanitize or reorder the merging of user input to prevent exploitation. [1]

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-21695. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart