Improperly Controlled Modification of Dynamically-Determined Object Attributes in titra - CVE-2026-21695
Published: April 20, 2026
Vulnerability identifier: #VU126570
CSH Severity: Low
CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear
CVE-ID: CVE-2026-21695
CWE-ID: CWE-915
Exploitation vector: Remote access
Exploit availability:
No public exploit available
Vendor: Kromit
Affected software:
titra
titra
Detailed vulnerability description
The vulnerability allows a remote user to modify protected fields in time entries.
The vulnerability exists due to improperly controlled modification of dynamically-determined object attributes in the REST API endpoint when handling crafted POST requests to /timeentry/create/ with the customfields parameter. A remote user can send a specially crafted request to modify protected fields in time entries.
The issue can be exploited by overwriting fields such as userId, hours, and state through the customfields object, bypassing business logic controls.
How to mitigate CVE-2026-21695
Install security update from vendor's website.