CVE-2026-42092
Global Settings Publication Exposes Sensitive Configuration to Any Authenticated User in Titra
CVSS Score
6.5
EPSS Score
0.0%
EPSS Percentile
0th
titra is an open source time tracking project. In version 0.99.52, the globalsettings Meteor publication returns all global settings without any admin or role check. Any authenticated user can subscribe via DDP and receive sensitive configuration fields such as google_secret, openai_apikey, and google_clientid. At time of publication no public patch is available.
| CWE | CWE-200 |
| Vendor | titraio |
| Product | titra |
| Published | May 4, 2026 |
Stay Ahead of the Next One
Get instant alerts for titraio titra
Be the first to know when new medium vulnerabilities affecting titraio titra are published โ delivered to Slack, Telegram or Discord.
Get Free Alerts โ
Free ยท No credit card ยท 60 sec setup
CVSS v3 Breakdown
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
None
Availability
None
Affected Versions
titraio / titra
= 0.99.52