Improper access control in titra - CVE-2026-21694
Published: April 20, 2026
Vulnerability identifier: #VU126571
CSH Severity: Low
CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear
CVE-ID: CVE-2026-21694
CWE-ID: CWE-284
Exploitation vector: Remote access
Exploit availability:
No public exploit available
Vendor: Kromit
Affected software:
titra
titra
Detailed vulnerability description
The vulnerability allows a remote user to disclose sensitive information and modify data in private projects.
The vulnerability exists due to improper access control in the GET /project/timeentries/:projectId, GET /project/timeentriesfordaterange/:projectId/:fromDate/:toDate, and POST /timeentry/create/ endpoints when handling requests referencing another user's project ID. A remote user can send crafted API requests using another user's project ID to disclose sensitive information and modify data in private projects.
The project ID can be obtained through bruteforcing or social engineering.
How to mitigate CVE-2026-21694
Install security update from vendor's website.