CVE-2026-33345

Name of the Vulnerable Software and Affected Versions solidtime versions prior to 0.11.6

Description The application is an open-source time-tracking app. A flaw exists in the project detail endpoint, allowing authenticated employees to access any project within an organization using its UUID, including private projects where they are not members. The index() endpoint correctly enforces access control using the visibleByEmployee() scope, but the show() endpoint does not. The vulnerable API endpoint is GET /api/v1/organizations/{org}/projects/{project}. The vulnerable parameter is project.

Recommendations Update to version 0.11.6 or later.