CVE-2026-21695
Mass Assignment Vulnerability in Titra API Allows Data Manipulation
Publication date: 2026-01-08
Last updated on: 2026-01-08
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| kromitgmbh | titra | to 0.99.50 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-915 | The product receives input from an upstream component that specifies multiple attributes, properties, or fields that are to be initialized or updated in an object, but it does not properly control which attributes can be modified. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability is a Mass Assignment flaw in the Titra time tracking software (versions 0.99.49 and below). Authenticated users can inject arbitrary fields into time entries via the 'customfields' parameter in the API. The API merges user input directly into the database document using the JavaScript spread operator without validating which keys are allowed. This allows attackers to overwrite protected fields such as userId, hours, and state, bypassing business logic controls. [1]
How can this vulnerability impact me? :
The vulnerability allows an authenticated user to modify protected fields in time entries, such as userId, hours, and state, which can lead to unauthorized changes in data integrity. This could result in inaccurate time tracking records, potential fraud, or manipulation of billing and project data. However, it does not impact confidentiality or availability. [1]
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability can be detected by attempting to exploit the Mass Assignment flaw using an authenticated API request that injects arbitrary fields into time entries via the customfields parameter. For example, you can use a curl command to send a POST request to the /timeentry/create/ endpoint with malicious customfields that overwrite protected fields such as 'state' and 'hours'. Example command: ```bash curl -X POST "http://<target-ip>:3000/timeentry/create/" -H "Authorization: Bearer <USER_API_TOKEN>" -H "Content-Type: application/json" -d '{ "projectId": "<TARGET_PROJECT_ID>", "task": "Mass Assignment Test", "date": "2025-12-27", "hours": 1, "customfields": { "state": "billed", "hours": 9999 } }' ``` If the request succeeds in modifying protected fields, the system is vulnerable. [1]
What immediate steps should I take to mitigate this vulnerability?
Immediate mitigation steps include upgrading Titra to version 0.99.50 or later where the vulnerability is fixed. If upgrading is not immediately possible, apply input sanitization by implementing an allowlist of permitted keys for the customfields parameter to prevent unauthorized overwriting of protected fields. Alternatively, modify the code to spread the customfields object before the protected fields to ensure protected fields cannot be overwritten. These code changes sanitize or reorder the merging of user input to prevent exploitation. [1]