CVE-2026-33345 MEDIUM

CVE-2026-33345: solidtime vulnerable to IDOR in private projects

Vendor Solidtime-Io
Product solidtime
Weakness CWE-639 · IDOR
Published March 24, 2026
Last update March 25, 2026

CVSS base score

6.5/10
Attack vector Network
Attack complexity Low
Privileges required Low
User interaction None
Confidentiality High
Integrity None

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N

What the vulnerability does

01Description

solidtime is an open-source time-tracking app. Prior to version 0.11.6, the project detail endpoint GET /api/v1/organizations/{org}/projects/{project} allows any authenticated Employee to access any project in the organization by UUID, including private projects they are not a member of. The index() endpoint correctly applies the visibleByEmployee() scope, but show() does not. This issue has been patched in version 0.11.6.

Key dates

02Disclosure timeline

March 24, 2026 CVE published
March 25, 2026 Record updated