Any unauthenticated user can reset the WorkTime on-prem database configuration by sending a specific HTTP request to the WorkTime server. No authorization check is applied here.
The vendor did not respond to our communication attempts anymore. It is currently as of February 2026 unclear, whether a patch is available. Please contact the vendor to request a patch for the identified critical security issues.