CVE-2026-42092

Name of the Vulnerable Software and Affected Versions titra version 0.99.52

Description The globalsettings Meteor publication returns all global settings without performing administrative or role-based access checks. This allows any authenticated user to subscribe via DDP (Distributed Data Protocol, a real-time communication protocol used by Meteor) and retrieve sensitive configuration fields, including google secret, openai apikey, and google clientid.

Recommendations At the moment, there is no information about a newer version that contains a fix for this vulnerability.