Open-Source Time Tracking App Vulnerability Affecting Solidtime
CVE-2026-42279

5.8MEDIUM

Key Information:

Vendor

Solidtime-io

Status
Solidtime
Vendor
CVE Published:
8 May 2026

What is CVE-2026-42279?

The Solidtime app version 0.12.0 exhibits a security flaw in the PUT /api/v1/organizations/{organization}/time-entries/{timeEntry} endpoint. This vulnerability permits users with the 'time-entries:update:all' permission to modify time entries belonging to different organizations. By exploiting this issue, attackers can incorrectly bind a known foreign time-entry UUID to their own organization's objects. This vulnerability has been addressed in version 0.12.1, ensuring secure access to time entry modifications.

Affected Version(s)

solidtime = 0.12.0

References

https://github.com/solidtime-io/solidtime/security/adviso...
x_refsource_CONFIRM
https://github.com/solidtime-io/solidtime/commit/b73aa543...
x_refsource_MISC
https://github.com/solidtime-io/solidtime/releases/tag/v0...
x_refsource_MISC

CVSS V3.1

Score:
5.8
Severity:
MEDIUM
Confidentiality:
None
Integrity:
High
Availability:
None
Attack Vector:
Network
Attack Complexity:
High
Privileges Required:
High
User Interaction:
None
Scope:
Changed

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.