PatchSiren cyber security CVE debrief
CVE-2026-47236 solidtime-io CVE debrief
CVE-2026-47236 is a medium-severity vulnerability in Solidtime, an open-source time-tracking app. The issue allows unauthorized access to pending invitation and member data through Inertia props on the team page. This occurs because the Jetstream web team page authorizes access using only the `belongsToTeam()` method, then loads and serializes all pending invitation emails and members into Inertia props. As a result, any employee who belongs to the organization can read pending invitation email addresses and members, even though they are forbidden from accessing this data through the official API.
- Vendor
- solidtime-io
- Product
- solidtime
- CVSS
- MEDIUM 4.3
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2026-06-12
- Original CVE updated
- 2026-06-12
- Advisory published
- 2026-06-12
- Advisory updated
- 2026-06-12
Who should care
Users of Solidtime versions prior to 0.12.2 should apply the patch to prevent unauthorized access to sensitive team data.
Technical summary
The vulnerability exists due to insufficient permissions checks in Solidtime's Jetstream web team page. Specifically, the page uses `belongsToTeam()` for authorization but fails to properly restrict access to pending invitation and member data. This allows any employee to view sensitive information they should not have access to.
Defensive priority
MEDIUM
Recommended defensive actions
- Update Solidtime to version 0.12.2 or later.
- Review team page access controls to ensure proper authorization.
Evidence notes
CVE-2026-47236 has a CVSS score of 4.3 and is classified as MEDIUM severity. The vulnerability was published and modified on June 12, 2026.
Official resources
CVE-2026-47236 was published on 2026-06-12T19:16:28.523Z.