Medium severity5.8NVD Advisory· Published May 8, 2026· Updated May 8, 2026
CVE-2026-42279
CVE-2026-42279
Description
solidtime is an open-source time-tracking app. In version 0.12.0, the PUT /api/v1/organizations/{organization}/time-entries/{timeEntry} API accepts a route-bound timeEntry from another organization when the caller has time-entries:update:all in the URL organization, allowing a known foreign time-entry UUID to be modified and rebound to objects in the caller's organization. This issue has been patched in version 0.12.1.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected products
3(expand)+ 2 more
- (no CPE)
- cpe:2.3:a:solidtime:solidtime:0.12.0:*:*:*:*:*:*:*
- (no CPE)range: = 0.12.0
Patches
Vulnerability mechanics
References
3- github.com/solidtime-io/solidtime/commit/b73aa543fdf5b61c37447307ab7277451296832cnvdPatch
- github.com/solidtime-io/solidtime/security/advisories/GHSA-pmf9-pxq9-ccwrnvdExploitVendor Advisory
- github.com/solidtime-io/solidtime/releases/tag/v0.12.1nvdProductRelease Notes
News mentions
0No linked articles in our index yet.