CVE-2026-42279 PUBLISHED

solidtime: Time entry update endpoint allows cross-organization modification of a known time-entry UUID

Assigner: GitHub_M
Reserved: 26.04.2026 Published: 08.05.2026 Updated: 08.05.2026

solidtime is an open-source time-tracking app. In version 0.12.0, the PUT /api/v1/organizations/{organization}/time-entries/{timeEntry} API accepts a route-bound timeEntry from another organization when the caller has time-entries:update:all in the URL organization, allowing a known foreign time-entry UUID to be modified and rebound to objects in the caller's organization. This issue has been patched in version 0.12.1.

Metrics

CVSS 3.1

CVSS Vector: CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:C/C:N/I:H/A:N
CVSS Score: 5.8

Attack Vector	Network	Scope	Changed
Attack Complexity	High	Confidentiality Impact	None
Privileges Required	High	Integrity Impact	High
User Interaction	None	Availability Impact	None

CVSS 3.1

Product Status

Vendor	solidtime-io
Product	solidtime
Versions	Version = 0.12.0 is affected

References

Problem Types

CWE-639: Authorization Bypass Through User-Controlled Key CWE