CVE-2026-33345

Published: Mar 24, 2026 Last Modified: Mar 24, 2026

ExploitDB:

Other exploit source:

Google Dorks:

MEDIUM 6,5

Source: [email protected]

Attack Vector: network

Attack Complexity: low

Privileges Required: low

User Interaction: none

Scope: unchanged

Confidentiality: high

Integrity: none

Availability: none

Description

AI Translation Available

solidtime is an open-source time-tracking app. Prior to version 0.11.6, the project detail endpoint GET /api/v1/organizations/{org}/projects/{project} allows any authenticated Employee to access any project in the organization by UUID, including private projects they are not a member of. The index() endpoint correctly applies the visibleByEmployee() scope, but show() does not. This issue has been patched in version 0.11.6.

639

Authorization Bypass Through User-Controlled Key

Incomplete

Abstraction: Base Structure: Simple

Common Consequences

Security Scopes Affected:

Access Control

Potential Impacts:

Bypass Protection Mechanism Gain Privileges Or Assume Identity

Applicable Platforms

All platforms may be affected

Likelihood of Exploit: High

View CWE Details

https://github.com/solidtime-io/solidtime/commit/192c8c3b88…

https://github.com/solidtime-io/solidtime/commit/192c8c3b887aab34117b983c687934…

https://github.com/solidtime-io/solidtime/releases/tag/v0.1…

https://github.com/solidtime-io/solidtime/releases/tag/v0.11.6

https://github.com/solidtime-io/solidtime/security/advisori…

https://github.com/solidtime-io/solidtime/security/advisories/GHSA-354j-rx28-jj…

CVE-2026-33345

Description

Authorization Bypass Through User-Controlled Key

Common Consequences

Applicable Platforms

Iscriviti alla newsletter