CVE-2026-42279: CWE-639: Authorization Bypass Through User-Controlled Key in solidtime-io solidtime
solidtime is an open-source time-tracking app. In version 0.12.0, the PUT /api/v1/organizations/{organization}/time-entries/{timeEntry} API accepts a route-bound timeEntry from another organization when the caller has time-entries:update:all in the URL organization, allowing a known foreign time-entry UUID to be modified and rebound to objects in the caller's organization. This issue has been patched in version 0.12.1.
AI Analysis
Technical Summary
In solidtime 0.12.0, the PUT /api/v1/organizations/{organization}/time-entries/{timeEntry} API improperly authorizes requests when the caller has the time-entries:update:all permission in their organization. This allows the caller to specify a timeEntry UUID from a different organization and modify it, effectively rebinding the foreign time entry to objects within the caller's organization. This is an authorization bypass issue categorized under CWE-639 (Authorization Bypass Through User-Controlled Key). The vulnerability has been addressed in version 0.12.1.
Potential Impact
An attacker with elevated privileges (time-entries:update:all) in one organization can modify time entries belonging to other organizations by referencing their UUIDs. This leads to unauthorized data modification and potential data integrity issues across organizational boundaries. There is no direct confidentiality or availability impact reported.
Mitigation Recommendations
Upgrade solidtime to version 0.12.1 or later, where this authorization bypass vulnerability has been patched. No other mitigation is indicated by the vendor advisory. Patch status is confirmed by the vendor advisory stating the issue is fixed in 0.12.1.
CVE-2026-42279: CWE-639: Authorization Bypass Through User-Controlled Key in solidtime-io solidtime
Description
solidtime is an open-source time-tracking app. In version 0.12.0, the PUT /api/v1/organizations/{organization}/time-entries/{timeEntry} API accepts a route-bound timeEntry from another organization when the caller has time-entries:update:all in the URL organization, allowing a known foreign time-entry UUID to be modified and rebound to objects in the caller's organization. This issue has been patched in version 0.12.1.
AI-Powered Analysis
Machine-generated threat intelligence
Technical Analysis
In solidtime 0.12.0, the PUT /api/v1/organizations/{organization}/time-entries/{timeEntry} API improperly authorizes requests when the caller has the time-entries:update:all permission in their organization. This allows the caller to specify a timeEntry UUID from a different organization and modify it, effectively rebinding the foreign time entry to objects within the caller's organization. This is an authorization bypass issue categorized under CWE-639 (Authorization Bypass Through User-Controlled Key). The vulnerability has been addressed in version 0.12.1.
Potential Impact
An attacker with elevated privileges (time-entries:update:all) in one organization can modify time entries belonging to other organizations by referencing their UUIDs. This leads to unauthorized data modification and potential data integrity issues across organizational boundaries. There is no direct confidentiality or availability impact reported.
Mitigation Recommendations
Upgrade solidtime to version 0.12.1 or later, where this authorization bypass vulnerability has been patched. No other mitigation is indicated by the vendor advisory. Patch status is confirmed by the vendor advisory stating the issue is fixed in 0.12.1.
Technical Details
- Data Version
- 5.2
- Assigner Short Name
- GitHub_M
- Date Reserved
- 2026-04-26T11:53:27.716Z
- Cvss Version
- 3.1
- State
- PUBLISHED
- Remediation Level
- null
Threat ID: 69fd6bcccbff5d8610923295
Added to database: 5/8/2026, 4:51:24 AM
Last enriched: 5/8/2026, 5:06:46 AM
Last updated: 5/8/2026, 11:56:20 AM
Views: 6
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Actions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
Need more coverage?
Upgrade to Pro Console for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.
Latest Threats
Check if your credentials are on the dark web
Instant breach scanning across billions of leaked records. Free tier available.