Cyber Resilience

CVE-2026-21694

MediumPublic PoC

Published: 08 January 2026

Published
08 January 2026
Modified
12 January 2026
KEV Added
Patch
CVSS Score v3.1 6.8 CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:N
EPSS Score 0.0024 15.4th percentile
Risk Priority 35 floored blend · peak EPSS

Summary

CVE-2026-21694 is a medium-severity Improper Access Control (CWE-284) vulnerability in Kromit Titra. Its CVSS base score is 6.8 (Medium).

Operationally, exploitation aligns with the MITRE ATT&CK technique Data from Information Repositories (T1213); ranked at the 15.4th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

The strongest mitigations our analysis identified are NIST 800-53 AC-3 (Access Enforcement) and AC-6 (Least Privilege).

Deeper analysis

CVE-2026-21694 is an Improper Access Control vulnerability (CWE-284) in Titra, an open source project time tracking software. The flaw affects versions 0.99.49 and below, where users can view and edit other users' time entries in private projects to which they have not been granted access. It carries a CVSS v3.1 base score of 6.8 (AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:N), indicating medium severity with high confidentiality and integrity impacts but no availability effects.

Low-privileged authenticated users (PR:L) can exploit this over the network (AV:N), though it requires high attack complexity (AC:H) and no user interaction (UI:N). Attackers with such access can achieve high confidentiality by viewing unauthorized time entries in private projects and high integrity by editing them, potentially leading to data tampering or exposure of sensitive project details.

The vulnerability is fixed in Titra version 0.99.50. GitHub security advisories (GHSA-mr2r-wjf8-cj3c) and the fixing commit (29e6b88eca005107729e45a6f1731cf0fa5f8938) on the Titra repository detail the patch, recommending an upgrade to the remedied version for mitigation.

OWASP Top 10 for Web (2025)

EU & UK References

Vulnerability details

Titra is open source project time tracking software. Versions 0.99.49 and below have Improper Access Control, allowing users to view and edit other users' time entries in private projects they have not been granted access to. This issue is fixed…

more

in version 0.99.50.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1213 Data from Information Repositories Collection
Adversaries may leverage information repositories to mine valuable information.
T1565.001 Stored Data Manipulation Impact
Adversaries may insert, delete, or manipulate data at rest in order to influence external outcomes or hide activity, thus threatening the integrity of the data.
Why these techniques?

Improper access control directly enables unauthorized viewing (collection) and editing (stored data manipulation) of time entries in the application's information repository.

Confidence: MEDIUM · MITRE ATT&CK Enterprise v19.0

CVEs Like This One

CVE-2025-69288Same product: Kromit Titra
CVE-2026-32752Shared CWE-284
CVE-2024-56889Shared CWE-284
CVE-2026-31872Shared CWE-284
CVE-2026-20736Shared CWE-284
CVE-2024-44303Shared CWE-284
CVE-2026-2592Shared CWE-284
CVE-2025-30433Shared CWE-284
CVE-2026-40904Shared CWE-284
CVE-2026-20628Shared CWE-284

Affected Assets

kromit
titra
≤ 0.99.50

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly enforces approved authorizations for logical access to time-entry objects, blocking the unauthorized view/edit of private-project entries described in the CVE.

prevent

Limits each user to the minimum set of privileges needed for their own time entries, preventing the over-privileged access that the flaw permits.

prevent

Requires prompt installation of the vendor patch (0.99.50) that corrects the improper access-control logic in Titra.

References