CVE-2026-42279 — MEDIUM (5.8)

Vulnerability Description

solidtime is an open-source time-tracking app. In version 0.12.0, the PUT /api/v1/organizations/{organization}/time-entries/{timeEntry} API accepts a route-bound timeEntry from another organization when the caller has time-entries:update:all in the URL organization, allowing a known foreign time-entry UUID to be modified and rebound to objects in the caller's organization. This issue has been patched in version 0.12.1.

CVSS Score

5.8

MEDIUM

CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:C/C:N/I:H/A:N

Attack Vector

NETWORK

Attack Complexity

HIGH

Privileges Required

HIGH

User Interaction

NONE

Scope

CHANGED

Confidentiality

NONE

Integrity

HIGH

Availability

NONE

Affected Products

Vendor	Product	Versions
Solidtime	Solidtime	0.12.0

Related Weaknesses (CWE)

CWE-639

References

https://github.com/solidtime-io/solidtime/commit/b73aa543fdf5b61c37447307ab72774Patch
https://github.com/solidtime-io/solidtime/releases/tag/v0.12.1ProductRelease Notes
https://github.com/solidtime-io/solidtime/security/advisories/GHSA-pmf9-pxq9-ccwExploitVendor Advisory
https://github.com/solidtime-io/solidtime/security/advisories/GHSA-pmf9-pxq9-ccwExploitVendor Advisory

FAQ

What is CVE-2026-42279?

CVE-2026-42279 is a vulnerability with a CVSS score of 5.8 (MEDIUM). solidtime is an open-source time-tracking app. In version 0.12.0, the PUT /api/v1/organizations/{organization}/time-entries/{timeEntry} API accepts a route-bound timeEntry from another organization wh...

How severe is CVE-2026-42279?

CVE-2026-42279 has been rated MEDIUM with a CVSS base score of 5.8/10. Review the CVSS metrics above for detailed severity breakdown.

Is there a patch for CVE-2026-42279?

Check the references section above for vendor advisories and patch information. Affected products include: Solidtime Solidtime.