CVE-2026-42279
Path Traversal in SolidTime Time-Tracking App
Publication date: 2026-05-08
Last updated on: 2026-05-08
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| solidtime | solidtime | 0.12.0 |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-639 | The system's authorization functionality does not prevent one user from gaining access to another user's data or record by modifying the key value identifying the data. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
The vulnerability in solidtime version 0.12.0 involves the PUT /api/v1/organizations/{organization}/time-entries/{timeEntry} API endpoint. It allows an authenticated user with elevated permissions ('time-entries:update:all') in one organization to modify a time-entry record that belongs to another organization. This happens because the system does not properly verify that the timeEntry UUID in the URL actually belongs to the specified organization, enabling cross-organization modification if the attacker knows a valid foreign time-entry UUID.
Specifically, the update method in the TimeEntryController fails to validate ownership of the time entry before allowing modifications, unlike other methods such as destroy(). This flaw allows an attacker to rebind a foreign time-entry to objects in their own organization, causing integrity issues.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
The vulnerability allows an authenticated user with elevated permissions in one organization to modify time-entry records belonging to another organization due to insufficient authorization checks. This cross-organization modification can lead to unauthorized alteration of another tenant's data, causing integrity corruption and potential data pollution in aggregated reports.
Such unauthorized data modification could impact compliance with standards and regulations like GDPR and HIPAA, which require strict data integrity and access controls to protect personal and sensitive information. The ability to alter records across organizational boundaries without proper authorization undermines data integrity and could lead to violations of these regulations.
However, exploitation requires high privileges and knowledge of a valid foreign time-entry UUID, which somewhat limits the risk. The issue has been patched in version 0.12.1, and users are advised to upgrade to mitigate this risk.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability involves unauthorized modification of time-entry records across organizations via the PUT /api/v1/organizations/{organization}/time-entries/{timeEntry} API endpoint when an attacker has elevated permissions and knows a foreign time-entry UUID.
To detect potential exploitation attempts on your system or network, you should monitor API requests to the PUT /api/v1/organizations/*/time-entries/* endpoint for unusual activity, such as modification requests where the timeEntry UUID does not belong to the organization specified in the URL.
Suggested commands or methods include:
- Use web server or application logs to filter PUT requests to the affected endpoint and check for mismatches between the organization in the URL and the timeEntry UUID being modified.
- If you have access to the database, query time-entry records to verify if any entries have been rebound or modified with organization IDs that do not match their original ownership.
- Example command to search logs for suspicious PUT requests (assuming logs are in JSON format):
- grep 'PUT /api/v1/organizations/' /path/to/access.log | grep 'time-entries' | grep -v 'expected-organization-id'
- Implement or review audit logging for permission checks related to 'time-entries:update:all' to detect if users with this permission are modifying time entries outside their organization.
Upgrading to version 0.12.1 or later is strongly recommended to patch this vulnerability and prevent exploitation.
How can this vulnerability impact me? :
This vulnerability can lead to unauthorized modification of time-entry records belonging to other organizations. An attacker with sufficient permissions in their own organization can alter records in a different organization if they know a valid time-entry UUID.
The impact includes corruption of data integrity across tenants, such as incorrect project or task totals and misleading report group labels, since recalculation jobs aggregate time entries without filtering by organization. This can affect reporting accuracy and trustworthiness of the data.
Exploitation requires high privileges and knowledge of a foreign time-entry UUID, making the attack complex but still possible.
What immediate steps should I take to mitigate this vulnerability?
The immediate step to mitigate this vulnerability is to upgrade the solidtime application to version 0.12.1 or later, where the security fix has been implemented.
This update addresses the improper authorization check that allowed cross-organization modification of time-entry records by ensuring that the time entry being modified belongs to the organization specified in the URL.
Until the upgrade is applied, restrict permissions such as 'time-entries:update:all' to trusted users only, as exploitation requires elevated privileges.