CVE-2026-42279
Analyzed Analyzed - Analysis Complete
Path Traversal in SolidTime Time-Tracking App

Publication date: 2026-05-08

Last updated on: 2026-05-08

Assigner: GitHub, Inc.

Description
solidtime is an open-source time-tracking app. In version 0.12.0, the PUT /api/v1/organizations/{organization}/time-entries/{timeEntry} API accepts a route-bound timeEntry from another organization when the caller has time-entries:update:all in the URL organization, allowing a known foreign time-entry UUID to be modified and rebound to objects in the caller's organization. This issue has been patched in version 0.12.1.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-05-08
Last Modified
2026-05-08
Generated
2026-06-19
AI Q&A
2026-05-08
EPSS Evaluated
2026-06-18
NVD
CVE-2026-42279
EUVD
EUVD-2026-28527
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
solidtime solidtime 0.12.0
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-639 The system's authorization functionality does not prevent one user from gaining access to another user's data or record by modifying the key value identifying the data.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Compliance Impact

The vulnerability allows an authenticated user with elevated permissions in one organization to modify time-entry records belonging to another organization due to insufficient authorization checks. This cross-organization modification can lead to unauthorized alteration of another tenant's data, causing integrity corruption and potential data pollution in aggregated reports.

Such unauthorized data modification could impact compliance with standards and regulations like GDPR and HIPAA, which require strict data integrity and access controls to protect personal and sensitive information. The ability to alter records across organizational boundaries without proper authorization undermines data integrity and could lead to violations of these regulations.

However, exploitation requires high privileges and knowledge of a valid foreign time-entry UUID, which somewhat limits the risk. The issue has been patched in version 0.12.1, and users are advised to upgrade to mitigate this risk.

Executive Summary

The vulnerability in solidtime version 0.12.0 involves the PUT /api/v1/organizations/{organization}/time-entries/{timeEntry} API endpoint. It allows an authenticated user with elevated permissions ('time-entries:update:all') in one organization to modify a time-entry record that belongs to another organization. This happens because the system does not properly verify that the timeEntry UUID in the URL actually belongs to the specified organization, enabling cross-organization modification if the attacker knows a valid foreign time-entry UUID.

Specifically, the update method in the TimeEntryController fails to validate ownership of the time entry before allowing modifications, unlike other methods such as destroy(). This flaw allows an attacker to rebind a foreign time-entry to objects in their own organization, causing integrity issues.

Impact Analysis

This vulnerability can lead to unauthorized modification of time-entry records belonging to other organizations. An attacker with sufficient permissions in their own organization can alter records in a different organization if they know a valid time-entry UUID.

The impact includes corruption of data integrity across tenants, such as incorrect project or task totals and misleading report group labels, since recalculation jobs aggregate time entries without filtering by organization. This can affect reporting accuracy and trustworthiness of the data.

Exploitation requires high privileges and knowledge of a foreign time-entry UUID, making the attack complex but still possible.

Mitigation Strategies

The immediate step to mitigate this vulnerability is to upgrade the solidtime application to version 0.12.1 or later, where the security fix has been implemented.

This update addresses the improper authorization check that allowed cross-organization modification of time-entry records by ensuring that the time entry being modified belongs to the organization specified in the URL.

Until the upgrade is applied, restrict permissions such as 'time-entries:update:all' to trusted users only, as exploitation requires elevated privileges.

Detection Guidance

This vulnerability involves unauthorized modification of time-entry records across organizations via the PUT /api/v1/organizations/{organization}/time-entries/{timeEntry} API endpoint when an attacker has elevated permissions and knows a foreign time-entry UUID.

To detect potential exploitation attempts on your system or network, you should monitor API requests to the PUT /api/v1/organizations/*/time-entries/* endpoint for unusual activity, such as modification requests where the timeEntry UUID does not belong to the organization specified in the URL.

Suggested commands or methods include:

  • Use web server or application logs to filter PUT requests to the affected endpoint and check for mismatches between the organization in the URL and the timeEntry UUID being modified.
  • If you have access to the database, query time-entry records to verify if any entries have been rebound or modified with organization IDs that do not match their original ownership.
  • Example command to search logs for suspicious PUT requests (assuming logs are in JSON format):
  • grep 'PUT /api/v1/organizations/' /path/to/access.log | grep 'time-entries' | grep -v 'expected-organization-id'
  • Implement or review audit logging for permission checks related to 'time-entries:update:all' to detect if users with this permission are modifying time entries outside their organization.

Upgrading to version 0.12.1 or later is strongly recommended to patch this vulnerability and prevent exploitation.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-42279. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart