Executive Summary

CVE-2026-47236 is an information disclosure vulnerability in the Solidtime open-source time-tracking app prior to version 0.12.2.

The issue arises because the web team page authorizes access only by checking if a user belongs to the organization, rather than verifying specific permissions like invitations:view or members:view.

As a result, any employee in the organization can see sensitive information such as pending invitation email addresses and member details (including emails, names, profile photos, and roles) through serialized Inertia props on the team page, even though the API correctly restricts access to this data.

This vulnerability was fixed in version 0.12.2 by applying proper permission checks before including this data in the Inertia props.

Useful 0 Not Useful 0

Impact Analysis

This vulnerability can lead to unauthorized disclosure of sensitive information within an organization.

• Employees without proper permissions can view pending invitation email addresses.
• Employees can also access member details such as email addresses, names, profile photos, and role assignments.

Such exposure could lead to privacy violations, social engineering risks, or internal information leakage.

The vulnerability has a medium severity score (CVSS 4.3) with low attack complexity and requires only low privileges and no user interaction.

Useful 0 Not Useful 0

Detection Guidance

This vulnerability can be detected by inspecting the serialized Inertia props data on the Solidtime team page response body to see if it includes pending invitation emails and member details that should be restricted.

Since the issue involves unauthorized exposure of sensitive data in the web page response, you can use web debugging tools or commands to capture and analyze the HTTP response from the team page.

• Use curl or wget to fetch the team page and inspect the response body for serialized invitation and member data, for example: curl -i -H "Cookie: <your_auth_cookie>" https://<solidtime-instance>/team
• Use browser developer tools (Network tab) to examine the team page response and look for serialized Inertia props containing invitation emails or member information.

If you see pending invitation emails or member details in the response without proper permission checks, your system is vulnerable.

Useful 0 Not Useful 0

Mitigation Strategies

The immediate and recommended mitigation step is to upgrade Solidtime to version 0.12.2 or later, where this vulnerability has been fixed.

The update applies proper permission checks in the JetstreamServiceProvider to prevent unauthorized users from accessing pending invitation and member data in the team page response.

Until the upgrade is applied, restrict access to the team page to only trusted users or monitor access logs for suspicious activity involving the team page.

Useful 0 Not Useful 0

Compliance Impact

This vulnerability allows unauthorized employees within an organization to access sensitive information such as pending invitation email addresses and member details without proper permission checks.

Exposure of such personal data could potentially lead to non-compliance with data protection regulations like GDPR or HIPAA, which require strict access controls and protection of personal information.

Since the vulnerability involves information disclosure of user emails and member details, organizations using affected versions of Solidtime may risk violating privacy and data security requirements mandated by these standards.

Upgrading to version 0.12.2, which patches this issue by enforcing proper permission checks, is necessary to mitigate these compliance risks.

Useful 0 Not Useful 0