CVE-2026-33345
Insecure Direct Object Reference in solidtime Project Endpoint
Publication date: 2026-03-24
Last updated on: 2026-03-26
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| solidtime | solidtime | to 0.11.6 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-639 | The system's authorization functionality does not prevent one user from gaining access to another user's data or record by modifying the key value identifying the data. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
[{'type': 'paragraph', 'content': 'CVE-2026-33345 is an Insecure Direct Object Reference (IDOR) vulnerability in the solidtime open-source time-tracking app affecting versions prior to 0.11.6.'}, {'type': 'paragraph', 'content': 'The vulnerability exists in the project detail API endpoint GET /api/v1/organizations/{org}/projects/{project}, which allows any authenticated user with the Employee role to access details of any project in the organization by its UUID, including private projects they are not a member of.'}, {'type': 'paragraph', 'content': "While the index() endpoint correctly restricts project visibility to only those projects visible to the employee, the show() endpoint lacks this restriction and only checks for a general 'projects:view' permission that Employees have."}, {'type': 'paragraph', 'content': 'This flaw allows unauthorized employees to retrieve sensitive project information such as project names, configurations, and billable rates for private projects.'}, {'type': 'paragraph', 'content': "The issue was fixed in version 0.11.6 by enforcing a stricter permission check ('projects:view:all') and adding the appropriate visibility scope to the show() endpoint."}] [1, 3]
How can this vulnerability impact me? :
This vulnerability can lead to unauthorized disclosure of confidential project information within an organization.
- Employees who are not members of private projects can access full project metadata, including sensitive business data such as project names, configurations, and billable rates.
- Project UUIDs, which are used to access project details, can be discovered through browser history, shared URLs, or network traffic, making it easier for unauthorized users to exploit this vulnerability.
The vulnerability has a CVSS v3.1 base score of 6.5, indicating a medium severity with high confidentiality impact but no impact on integrity or availability.
If exploited, this could lead to exposure of sensitive organizational data, potentially harming business operations or competitive advantage.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
I don't know
How can this vulnerability be detected on my network or system? Can you suggest some commands?
[{'type': 'paragraph', 'content': 'This vulnerability can be detected by attempting to access private project details via the vulnerable API endpoint using an authenticated Employee account that is not a member of the private project.'}, {'type': 'paragraph', 'content': 'A practical detection method involves sending a GET request to the endpoint /api/v1/organizations/{org}/projects/{project} with the UUID of a private project while authenticated as an Employee who should not have access.'}, {'type': 'paragraph', 'content': 'If the request returns HTTP 200 with project details, the system is vulnerable. If it returns HTTP 403 Forbidden, the vulnerability is mitigated.'}, {'type': 'list_item', 'content': 'Use curl or similar tools to test access, for example:'}, {'type': 'list_item', 'content': 'curl -i -H "Authorization: Bearer <employee_token>" https://<solidtime-host>/api/v1/organizations/<org>/projects/<private_project_uuid>'}, {'type': 'list_item', 'content': 'Check the HTTP response code and content to determine if unauthorized access is possible.'}] [3]
What immediate steps should I take to mitigate this vulnerability?
[{'type': 'paragraph', 'content': 'The primary immediate mitigation step is to upgrade the solidtime application to version 0.11.6 or later, where the vulnerability has been patched.'}, {'type': 'paragraph', 'content': 'This update enforces stricter permission checks on the project detail endpoint, preventing unauthorized Employees from accessing private projects.'}, {'type': 'paragraph', 'content': 'If upgrading immediately is not possible, restrict access to the vulnerable API endpoint by network controls or application-level firewall rules to limit access to trusted users only.'}, {'type': 'paragraph', 'content': "Additionally, review and audit user permissions to ensure that Employees do not have excessive privileges such as 'projects:view:all' unless explicitly required."}] [2, 1]