CVE-2026-42279 - Vulnerability Analysis
MediumCVSS: 5.8Last Updated: May 8, 2026
Solidtime - Broken Access Control
Published: May 8, 2026Updated: May 8, 2026PoC AvailableRemote Exploitable
Overview
Solidtime 0.12.0 contains a broken access control vulnerability caused by improper validation of route-bound timeEntry in the PUT /api/v1/organizations/{organization}/time-entries/{timeEntry} API, letting attackers with time-entries:update:all permission modify time entries across organizations, exploit requires attacker to have time-entries:update:all permission.
Severity & Score
Severity: Medium
CVSS Score: 5.8
Impact
Attackers with update permission can modify time entries across organizations, leading to unauthorized data modification.
Mitigation
Upgrade to version 0.12.1.
References
Related Resources
Details
- CVE ID
- CVE-2026-42279
- Severity
- Medium
- CVSS Score
- 5.8
- Type
- broken_access_control
- Status
- confirmed
CWE
- CWE-639
CVSS Metrics
CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:C/C:N/I:H/A:N