CVE-2026-42092

Source
https://cve.org/CVERecord?id=CVE-2026-42092
Import Source
https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-42092.json
JSON Data
https://api.osv.dev/v1/vulns/CVE-2026-42092
Aliases
  • GHSA-4h9p-49hg-vppw
Published
2026-05-04T17:30:46.421Z
Modified
2026-07-15T01:49:08.161920030Z
Severity
  • 6.5 (Medium) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N CVSS Calculator
Summary
Global Settings Publication Exposes Sensitive Configuration to Any Authenticated User in Titra
Details

titra is an open source time tracking project. In version 0.99.52, the globalsettings Meteor publication returns all global settings without any admin or role check. Any authenticated user can subscribe via DDP and receive sensitive configuration fields such as googlesecret, openaiapikey, and google_clientid. At time of publication no public patch is available.

Database specific
{
    "cna_assigner": "GitHub_M",
    "cwe_ids": [
        "CWE-200"
    ],
    "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/42xxx/CVE-2026-42092.json"
}
References

Affected packages

Git / github.com/titraio/titra

Affected ranges

Type
GIT
Repo
https://github.com/titraio/titra
Events
Database specific
{
    "source": "AFFECTED_FIELD",
    "extracted_events": [
        {
            "introduced": "= 0.99.52"
        },
        {
            "last_affected": "= 0.99.52"
        }
    ]
}

Affected versions

0.*
0.99.52
= 0.*
= 0.99.52

Database specific

source
"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-42092.json"