Login Sign Up

CVE-2026-21695

4.3 MEDIUM

📋 TL;DR

This CVE describes a Mass Assignment vulnerability in Titra time tracking software that allows authenticated users to inject arbitrary fields into time entries via the customfields parameter. Attackers can overwrite protected fields like userId, hours, and state, bypassing business logic controls. All users running Titra versions 0.99.49 and below are affected.

💻 Affected Systems

Products:
  • Titra
Versions: 0.99.49 and below
Operating Systems: All
Default Config Vulnerable: ⚠️ Yes
Notes: Requires authenticated access to the vulnerable API endpoint.

📦 What is this software?

Titra by Kromit

View all CVEs affecting Titra →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Attackers could manipulate time tracking data, falsify work hours, assign work to incorrect users, or potentially escalate privileges by modifying user-related fields.

🟠

Likely Case

Unauthorized modification of time entries leading to inaccurate billing, payroll errors, or project management data corruption.

🟢

If Mitigated

Limited to minor data integrity issues if proper input validation and field whitelisting are implemented.

🌐 Internet-Facing: MEDIUM
🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ✅ No
Weaponized: UNKNOWN
Unauthenticated Exploit: ✅ No
Complexity: LOW

Exploitation requires authenticated access and knowledge of the vulnerable API endpoint structure.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 0.99.50

Vendor Advisory: https://github.com/kromitgmbh/titra/security/advisories/GHSA-gc65-vr47-jppq

Restart Required: Yes

Instructions:

1. Update Titra to version 0.99.50 or later. 2. Restart the Titra application/service. 3. Verify the update was successful by checking the version.

🔧 Temporary Workarounds

Input Validation Middleware

all

Implement server-side validation to restrict allowed fields in customfields parameter

API Endpoint Restriction

all

Temporarily restrict or disable access to the vulnerable API endpoint

🧯 If You Can't Patch

  • Implement strict input validation to only allow specific whitelisted fields in customfields parameter
  • Add authentication and authorization checks to ensure users can only modify their own time entries

🔍 How to Verify

Check if Vulnerable:

Check if Titra version is 0.99.49 or below and if the API endpoint accepts customfields parameter with arbitrary keys

Check Version:

Check Titra application settings or package.json for version information

Verify Fix Applied:

Verify Titra version is 0.99.50 or later and test that customfields parameter no longer accepts protected field names

📡 Detection & Monitoring

Log Indicators:

  • Unusual API requests to time entry endpoints with customfields containing protected field names
  • Multiple failed validation attempts on customfields parameter

Network Indicators:

  • HTTP POST/PUT requests to time entry API with customfields parameter containing userId, hours, or state fields

SIEM Query:

source="titra" AND (customfields.userId OR customfields.hours OR customfields.state)

📊 Metadata

CVE ID: CVE-2026-21695
CVSS v3 Score: 4.3 (MEDIUM)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N
CWE: CWE-915
EPSS Score: 0.06% exploit probability (19th percentile)
Published: January 8, 2026
Last Updated: January 12, 2026

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2026-21695, you might also want to check these:

CVE-2024-5452 9.8

This vulnerability allows remote attackers to execute arbitrary code on self-hosted PyTorch Lightnin...

Same vulnerability type (CWE-915)
CVE-2024-55636 9.8

This CVE describes a gadget chain vulnerability in Drupal Core that enables object injection when un...

Same vulnerability type (CWE-915)
CVE-2024-55638 9.8

This CVE describes a gadget chain in Drupal Core that enables object injection when untrusted data i...

Same vulnerability type (CWE-915)