Executive Summary

[{'type': 'paragraph', 'content': 'CVE-2026-33345 is an Insecure Direct Object Reference (IDOR) vulnerability in the solidtime open-source time-tracking app affecting versions prior to 0.11.6.'}, {'type': 'paragraph', 'content': 'The vulnerability exists in the project detail API endpoint GET /api/v1/organizations/{org}/projects/{project}, which allows any authenticated user with the Employee role to access details of any project in the organization by its UUID, including private projects they are not a member of.'}, {'type': 'paragraph', 'content': "While the index() endpoint correctly restricts project visibility to only those projects visible to the employee, the show() endpoint lacks this restriction and only checks for a general 'projects:view' permission that Employees have."}, {'type': 'paragraph', 'content': 'This flaw allows unauthorized employees to retrieve sensitive project information such as project names, configurations, and billable rates for private projects.'}, {'type': 'paragraph', 'content': "The issue was fixed in version 0.11.6 by enforcing a stricter permission check ('projects:view:all') and adding the appropriate visibility scope to the show() endpoint."}] [1, 3]

Useful 0 Not Useful 0

Impact Analysis

This vulnerability can lead to unauthorized disclosure of confidential project information within an organization.

• Employees who are not members of private projects can access full project metadata, including sensitive business data such as project names, configurations, and billable rates.
• Project UUIDs, which are used to access project details, can be discovered through browser history, shared URLs, or network traffic, making it easier for unauthorized users to exploit this vulnerability.

The vulnerability has a CVSS v3.1 base score of 6.5, indicating a medium severity with high confidentiality impact but no impact on integrity or availability.

If exploited, this could lead to exposure of sensitive organizational data, potentially harming business operations or competitive advantage.

Useful 0 Not Useful 0

Compliance Impact

I don't know

Useful 0 Not Useful 0

Detection Guidance

[{'type': 'paragraph', 'content': 'This vulnerability can be detected by attempting to access private project details via the vulnerable API endpoint using an authenticated Employee account that is not a member of the private project.'}, {'type': 'paragraph', 'content': 'A practical detection method involves sending a GET request to the endpoint /api/v1/organizations/{org}/projects/{project} with the UUID of a private project while authenticated as an Employee who should not have access.'}, {'type': 'paragraph', 'content': 'If the request returns HTTP 200 with project details, the system is vulnerable. If it returns HTTP 403 Forbidden, the vulnerability is mitigated.'}, {'type': 'list_item', 'content': 'Use curl or similar tools to test access, for example:'}, {'type': 'list_item', 'content': 'curl -i -H "Authorization: Bearer <employee_token>" https://<solidtime-host>/api/v1/organizations/<org>/projects/<private_project_uuid>'}, {'type': 'list_item', 'content': 'Check the HTTP response code and content to determine if unauthorized access is possible.'}] [3]

Useful 0 Not Useful 0

Mitigation Strategies

[{'type': 'paragraph', 'content': 'The primary immediate mitigation step is to upgrade the solidtime application to version 0.11.6 or later, where the vulnerability has been patched.'}, {'type': 'paragraph', 'content': 'This update enforces stricter permission checks on the project detail endpoint, preventing unauthorized Employees from accessing private projects.'}, {'type': 'paragraph', 'content': 'If upgrading immediately is not possible, restrict access to the vulnerable API endpoint by network controls or application-level firewall rules to limit access to trusted users only.'}, {'type': 'paragraph', 'content': "Additionally, review and audit user permissions to ensure that Employees do not have excessive privileges such as 'projects:view:all' unless explicitly required."}] [2, 1]

Useful 0 Not Useful 0