CVE-2026-33345 is an authorization bypass vulnerability classified under CWE-639 (Authorization Bypass Through User-Controlled Key) affecting the solidtime open-source time-tracking application. The vulnerability arises because the show() endpoint (GET /api/v1/organizations/{org}/projects/{project}) fails to apply proper access control checks on project visibility. Specifically, any authenticated employee within an organization can retrieve details of any project by specifying its UUID, regardless of whether they are a member of that project or if the project is private. This contrasts with the index() endpoint, which correctly applies the visibleByEmployee() scope to restrict project listings to those the employee is authorized to see. The lack of proper authorization checks in the show() endpoint leads to unauthorized disclosure of project details, potentially exposing sensitive business information. The vulnerability affects all versions prior to 0.11.6, where the issue has been patched. Exploitation requires authentication but no additional user interaction, and the attack vector is network-based with low complexity. The CVSS v3.1 score is 6.5, reflecting high confidentiality impact but no impact on integrity or availability. No known exploits have been reported in the wild as of the publication date.

The primary impact of this vulnerability is unauthorized disclosure of sensitive project information within an organization. Attackers who are authenticated employees can access private project details they are not authorized to view, potentially exposing confidential business data, project plans, timelines, or proprietary information. This can lead to insider threats, data leakage, and loss of competitive advantage. Although the vulnerability does not allow modification or deletion of data, the confidentiality breach alone can have significant reputational and operational consequences. Organizations using solidtime for time tracking and project management, especially those handling sensitive or regulated data, face increased risk of internal data exposure. The impact is magnified in larger organizations with multiple projects and strict compartmentalization of information. Since exploitation requires valid employee credentials, the threat is primarily from malicious insiders or compromised accounts.

To mitigate this vulnerability, organizations should upgrade solidtime to version 0.11.6 or later, where the authorization bypass has been fixed. Until the upgrade is applied, administrators should consider restricting access to the affected endpoints through network segmentation or API gateway policies that enforce strict access controls. Implementing additional application-layer authorization checks or custom middleware to verify project membership before returning project details can serve as a temporary workaround. Monitoring and auditing API access logs for unusual access patterns to project details by employees not assigned to those projects can help detect exploitation attempts. Enforcing strong authentication mechanisms and minimizing the number of employees with access to sensitive projects reduces risk. Finally, educating employees about the importance of credential security and monitoring for compromised accounts will help prevent abuse of this vulnerability.