CVE-2026-33345 PUBLISHED

solidtime vulnerable to IDOR in private projects

Assigner: GitHub_M
Reserved: 18.03.2026 Published: 24.03.2026 Updated: 25.03.2026

solidtime is an open-source time-tracking app. Prior to version 0.11.6, the project detail endpoint GET /api/v1/organizations/{org}/projects/{project} allows any authenticated Employee to access any project in the organization by UUID, including private projects they are not a member of. The index() endpoint correctly applies the visibleByEmployee() scope, but show() does not. This issue has been patched in version 0.11.6.

Metrics

CVSS 3.1

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
CVSS Score: 6.5

Attack Vector	Network	Scope	Unchanged
Attack Complexity	Low	Confidentiality Impact	High
Privileges Required	Low	Integrity Impact	None
User Interaction	None	Availability Impact	None

CVSS 3.1

Product Status

Vendor	solidtime-io
Product	solidtime
Versions	Version < 0.11.6 is affected

References

Problem Types

CWE-639: Authorization Bypass Through User-Controlled Key CWE