Description

solidtime is an open-source time-tracking app. Prior to version 0.11.6, the project detail endpoint GET /api/v1/organizations/{org}/projects/{project} allows any authenticated Employee to access any project in the organization by UUID, including private projects they are not a member of. The index() endpoint correctly applies the visibleByEmployee() scope, but show() does not. This issue has been patched in version 0.11.6.

INFO

Published Date :

2026-03-24T19:30:27.471Z

Last Modified :

2026-03-25T13:21:58.960Z

Source :

GitHub_M
AFFECTED PRODUCTS

The following products are affected by CVE-2026-33345 vulnerability.

Vendors Products
Solidtime
  • Solidtime
Solidtime-io
  • Solidtime
REFERENCES

Here, you will find a curated list of external links that provide in-depth information to CVE-2026-33345.

URL Resource
https://github.com/solidtime-io/solidtime/commit/192c8c3b887aab34117b983c687934ca7c305209 cve-icon cve-icon
https://github.com/solidtime-io/solidtime/releases/tag/v0.11.6 cve-icon cve-icon
https://github.com/solidtime-io/solidtime/security/advisories/GHSA-354j-rx28-jjxm cve-icon cve-icon
Login to claim this CVE

CVSS Vulnerability Scoring System

Detailed values of each vector for above chart.
Attack Vector
Attack Complexity
Privileges Required
User Interaction
Scope
Confidentiality Impact
Integrity Impact
Availability Impact