The vulnerability identified as CVE-2026-33345 affects solidtime, an open-source time-tracking application. The flaw lies in the authorization logic of the project detail endpoint GET /api/v1/organizations/{org}/projects/{project}. Specifically, the show() method fails to apply the visibleByEmployee() scope that restricts project visibility to authorized members. As a result, any authenticated employee within the organization can access project details by specifying the project UUID, including private projects they do not belong to. This constitutes an authorization bypass (CWE-639), allowing unauthorized users to view sensitive project data. The index() endpoint properly enforces access control, but the show() endpoint does not, creating an inconsistent security posture. The vulnerability affects all versions prior to 0.11.6 and was publicly disclosed on March 24, 2026. The CVSS v3.1 base score is 6.5, reflecting a medium severity with high confidentiality impact but no integrity or availability impact. Exploitation requires authentication but no user interaction, and the attack vector is network-based. The issue has been resolved in version 0.11.6 by correcting the authorization checks on the show() endpoint. No known exploits have been reported in the wild, but the vulnerability poses a risk of unauthorized data disclosure within organizations using vulnerable versions.

This vulnerability primarily impacts the confidentiality of project data within organizations using solidtime versions prior to 0.11.6. Unauthorized employees can access private project details, potentially exposing sensitive business information, project plans, timelines, or proprietary data. While the vulnerability does not affect data integrity or availability, the unauthorized disclosure can lead to competitive disadvantage, loss of trust, or regulatory compliance issues if sensitive information is leaked. Organizations with multiple projects and strict access controls are most at risk, as the flaw undermines internal data segregation. Since exploitation requires authentication, the threat is limited to insiders or compromised employee accounts. However, given the network-based attack vector and lack of user interaction requirement, an attacker with valid credentials can easily exploit this vulnerability remotely. The absence of known exploits in the wild suggests limited active exploitation currently, but the risk remains significant until patched.

The primary mitigation is to upgrade solidtime to version 0.11.6 or later, where the authorization bypass has been fixed. Organizations should prioritize patching vulnerable instances promptly. In addition, administrators should review user access controls and audit logs for any unauthorized access to project data. Implementing stricter authentication mechanisms such as multi-factor authentication can reduce the risk of compromised credentials being used to exploit this flaw. If immediate patching is not feasible, organizations can implement network segmentation or restrict access to the API endpoints to trusted networks or VPNs to limit exposure. Developers maintaining forks or custom versions of solidtime should ensure that the visibleByEmployee() scope or equivalent authorization checks are consistently applied to all project-related endpoints. Regular security code reviews and penetration testing focusing on authorization logic can help detect similar issues proactively.